Another approach is decentralized specialized teams, centers of excellence in current managementspeak, with a specific agenda and expertise on an area deemed strategic. This approach is probably best paired with 2,3, or 4 from your list. For example, a roving specialized threat modeling team that works with many groups to help develop threat models, attack patterns, tests, and so on. Or a roving team that focuses on build secure web apps and cuts across groups for specialized tasks for secure web app dev, say how do I use cardspace in my web app?
Once you figure out what your strategic goals are for security - threat modeling, cardspace, static analysis, secure web app deve, etc. You can use #2 to focus them on the right stuff, or use #3 as roving advisers (like the cia in the cold war), or in #4 arm them with a tool or technology like XML Security gateway or static analysis tools to make a small band more effective in a large organization. -gp On 1/9/08 6:48 PM, "Gary McGraw" <[EMAIL PROTECTED]> wrote: > hi sc-l, > > One of the biggest hurdles facing software security is the problem of how to > get started, especially when faced with an enterprise-level challenge. My > first darkreading column for 2008 is about how to get started in software > security. In the article, I describe four approaches: > 1. the top-down framework; > 2. portfolio risk; > 3. training first; and > 4. leading with a tool. > > We've tried them all with some success at different Cigital customers. > > Are there other ways to get started that have worked for you? > > By the way, I can use your help. Darkreading is beginning to track reaction > to topics more carefully than in the past. You can help make software > security more prominent by reading the article and passing the URL on to > others you may find interested. Another thing that helps is posting to the > message boards. Thanks in advance. > > Here's to even more widespread software security in 2008! > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > blog www.cigital.com/justiceleague > book www.swsec.com > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________