Gary, Interesting article. May I ask, why get started with only one of these approaches? Since 1-3 effects different parts of the organization (portfolio risk seems like a biz-management approach, top-down framework seems to effect software development management, and training effects developers, primarily) - why not *start* an initiative on all levels? In fact, doesn't it really take all of the above to truly effect permanent change in an organization?
4) Makes me nervous. I worry if you just toss a very expensive static code analysis or app scanning tool at development staff, you only provide a false sense of security since the coverage of even the best application security tools is very limited. Doesn't it take rather in-depth developer training and awareness for a tool to be truly useful? - Jim > hi sc-l, > > One of the biggest hurdles facing software security is the problem of how to > get started, especially when faced with an enterprise-level challenge. My > first darkreading column for 2008 is about how to get started in software > security. In the article, I describe four approaches: > 1. the top-down framework; > 2. portfolio risk; > 3. training first; and > 4. leading with a tool. > > We've tried them all with some success at different Cigital customers. > > Are there other ways to get started that have worked for you? > > By the way, I can use your help. Darkreading is beginning to track reaction > to topics more carefully than in the past. You can help make software > security more prominent by reading the article and passing the URL on to > others you may find interested. Another thing that helps is posting to the > message boards. Thanks in advance. > > Here's to even more widespread software security in 2008! > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > blog www.cigital.com/justiceleague > book www.swsec.com > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > > > -- Best Regards, Jim Manico [EMAIL PROTECTED] 808.652.3805 (c) _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________