I'll preface what I'm going to say with: - I don't work in the financial vertical or government defense, but from conversations with colleagues, I think that they get it (they have to)
- My sphere of experience excludes Australia, India, and Japan: - Oz has on average a high skill set of s/w engineers, so I don't see why that would be different for s/w security. - From discussions with friends/ex-employees who are from India, because of such a high turnover in the s/w factories, a coder is given a day's to a week's worth of code to produce at one time, so if they leave then they can be replaced without much loss. This was a few years ago and I don't know the level of s/w security introduced since then, but for sure I highly doubt that developers have any say in what they can write. - Colleagues and friends who live in Japan say that the level of s/w security is just as bad as the rest of Asia, which was surprising to me. I think, though, that in Japan, there is a strong culture of not upstaging the boss so maybe that explains it. So, my sphere of experience extends from Beijing to Jakarta and all points in between... (to paraphrase ZZ Top :-) I would say the level is barely the "beginning of the beginning". There are no compliance laws except for PCI-DSS. There are no breach disclosure laws. There are often huge silos between the security guys and the development team, both organizationally and politically. Quite a few times I've seen the responsibility of software security dumped on the network team with the orders of "make everything secure". And often: (a) the web site was outsourced years ago and the company is no longer in business; (b) the 3rd party software vendor is not going to fix its software or attempt to make it secure in the near future (and there's nothing in the SLA that says they have to; (c) the development team does exist but either change processes take 3 to 6 months to get anything done, or (d) the network manager has to go to political war to get something done. >From all of the above, a magic elixir for a network security team can be a web application firewall. They can drop a box in and they don't need anybody else's permission. This is what happened on a very recent project (I was helping the client prepare for a PCI audit), and because of my Summer of Code OWASP project, Securing WebGoat using ModSecurity, I was able to help their team write custom ModSec rulesets; and from that they learned something about security (of course it should have been the s/w people who learned something about it). And, you don't know how many times I've been approached to do pentests for large corporations' web sites that handle sensitive customer data - and their budget is $6500 to $10,000 USD. Sorry, I'm greedy, but I can't risk my reputation by doing a less than half-assed job. On the bright side, I've had a couple of application pentest projects - the head of the development team was responsible for it (maybe that's the key) - and they went great. The developers & architects didn't know anything about software security, but each manager assembled the entire dev team and network/sys admins for a half day for me to present my findings and educate them on what they needed to do; to explain the origin, the prevention/solution, etc. Those are real fun and it's so cool seeing the looks on people's faces when it clicks and they get it. Stephen On Wed, Nov 26, 2008 at 10:45 PM, Kenneth Van Wyk <[EMAIL PROTECTED]> wrote: > On Nov 26, 2008, at 9:19 AM, Gary McGraw wrote: >> >> I think this idea of regional differences is worth exploring a bit. In my >> work at cigital I have come to believe that there is a difference in >> approach between the east coast of the US and the west coast. > > I completely agree here. Stephen raises a fascinating point. > > I don't know what I did {right|wrong}, but the vast majority of my clients > are in Europe or Southeast Asia right now. (I'm a dual EU/US citizen, which > perhaps helps.) Apart from all the air miles, I've seen vast differences > that seem--at least on the surface via casual observation--to have a > regional component. Contrasting US East, West, EU, and Asia, there are big > differences in such areas as: > > - Software process. I see more process-heavy dev in US East and Europe, > with far less of it in US West and Asia, for instance. > > - Security teams. I see a pretty solid line between IT security and > software dev teams in US East and Asia, with lines being more blurred in US > West and EU. This seems to be central to Stephen's point, if I understand > correctly. And it's a good point to consider. > > - Security testing. ... > > The list goes on. Unfortunately, all I have are casual observations, but > the "climate differences" seem palpable to me. > > Cheers, > > Ken > > ----- > Kenneth R. van Wyk > KRvW Associates, LLC > http://www.KRvW.com > > > > > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________