On Sun, 22 Mar 2009, Gary McGraw wrote:
> hi sc-l,
>
> For what it's worth, I am involved in the project with jmr...as is Sammy
> Migues. jmr was our BSIMM participant from DTCC. Their software security
> initiative is most impressive.
I don't know much TOO much about supply chain issues, but I have to admit
that the lecture i heard on the subject by Marcus Sachs was highly
interesting and opened my eyes.
Blessed initiative.
Gadi.
> gem
>
>
> On 3/22/09 9:08 AM, "Mason Brown" <mbr...@sans.org> wrote:
>
>
> Jim Routh, CISO at Depository Trust and Clearing Corporation is leading a
> project for the Financial Services ISAC. There is a lot of knowledge on
> this list and I was hoping you might be willing to offer your thoughts.
> Below is the request from Jim. If you have thoughts or data and could
> share it, I'll be happy to collate and send back to the list or to anyone
> that requests. After he presents it to the FS-ISAC in May, the complete
> information will be made public.
>
> Important project if your organization uses contractors and outsourcers to
> design, build or deploy important applications. Jim Routh, CISO at
> Depository Trust and Clearing Corporation (and one of the top CISOs in
> implementing application security), leads a broad industry team
> identifying leading practices in improving supply chain resiliency --
> specifically in the area of procurement for outsourcing software
> development and services. They have asked for your help in finding sources
> of information in the public domain and/or descriptions of a practice or
> control that you have used that actually mitigates one or
> more risks. If you have experience or knowledge of security controls and
> practices specific to the outsourcing of application development through
> service providers please send a note to Mason Brown at mbr...@sans.org.
> This can include things like sample contract language or URLs
> information/resources you have seen or used. We will provide a summary of
> the information to anyone who contributes or expresses and interest in
> seeing the results.
>
>
> ***************************
> Action Required:
>
> Give some thought to helpful information on security controls and
> practices specific to the outsourcing of application development work
> through service providers that will help improve the resiliency of the
> supply chain that may be in two categories:
>
> 1. Source information in the public domain with reference information on
> where to find it (eg: url)
> 2. Description of a practice/control along with a summary of the risks
> mitigated
>
> We are striving to create a summary of practices/controls for
> consideration for those organizations interested in significantly
> increasing their supply chain resiliency and mitigate the risk of sabotage
> of supply chain sources. This information along with the survey results
> will provide the information security professional with a source of
> information enabling him/her to determine the appropriate
> practices/controls for his/her organization.
>
>
>
> Mason Brown, Director
> SANS Institute (www.sans.org)
> 865-692-0978 (w)
>
>
> Don't miss SANSFIRE 2009 with the Internet Storm Center! June 13-22 in
> Baltimore, MD http://www.sans.org/info/39248
>
> "SANS courses are hands-down the best security courses in the industry." -
> Scott Hiltis, Bruce Power
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
