Hi Jim,

Good question.  Often a coordinated/distributed approach will work.  However, 
to make things simple, I tried to untangle the threads.  We have actual 
customers who have followed each of the 4 paths (with other interesting twists 
of course), so it made sense to carve things out that way to me.

I agree with you on 4 (tool first), but the reality of the situation is that 
many enterprises were sold tools as a just-add-water solution and they've been 
looking around for the water ever since.  That is one way to get started and it 
does work.  Reality sucks, huh?

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Manico
Sent: Thursday, January 10, 2008 12:50 AM
Cc: Secure Coding Mailing List (SC-L@securecoding.org)
Subject: Re: [SC-L] Darkreading: Getting Started

Gary,

Interesting article. May I ask, why get started with only one of these 
approaches? Since 1-3 effects different parts of the organization (portfolio 
risk seems like a biz-management approach, top-down framework seems to effect 
software development management, and training effects developers, primarily) - 
why not *start* an initiative on all levels? In fact, doesn't it really take 
all of the above to truly effect permanent change in an organization?

4) Makes me nervous. I worry if you just toss a very expensive static code 
analysis or app scanning tool at development staff, you only provide a false 
sense of security since the coverage of even the best application security 
tools is very limited. Doesn't it take rather in-depth developer training and 
awareness for a tool to be truly useful?

- Jim
> hi sc-l,
>
> One of the biggest hurdles facing software security is the problem of how to 
> get started, especially when faced with an enterprise-level challenge.  My 
> first darkreading column for 2008 is about how to get started in software 
> security.  In the article, I describe four approaches:
> 1. the top-down framework;
> 2. portfolio risk;
> 3. training first; and
> 4. leading with a tool.
>
> We've tried them all with some success at different Cigital customers.
>
> Are there other ways to get started that have worked for you?
>
> By the way, I can use your help.  Darkreading is beginning to track reaction 
> to topics more carefully than in the past.  You can help make software 
> security more prominent by reading the article and passing the URL on to 
> others you may find interested.  Another thing that helps is posting to the 
> message boards.  Thanks in advance.
>
> Here's to even more widespread software security in 2008!
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L@securecoding.org List
> information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at -
> http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC
> (http://www.KRvW.com) as a free, non-commercial service to the software 
> security community.
> _______________________________________________
>
>
>
>

--

Best Regards,
Jim Manico
[EMAIL PROTECTED]
808.652.3805 (c)


_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, 
subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a 
free, non-commercial service to the software security community.
_______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Reply via email to