My thought was a little different than thinking of this as an educational activity. My thinking says this is more about how groups such as OWASP should "JOINTLY" publish with groups such as ISACA. On the radar of most enterprisey types are emerging legislation such as Mass Privacy will have audit-specific criteria within the legislation. In the same sense that OWASP had a win by having PCI mention us, we could accomplish something similar by working with the audit community.
-----Original Message----- From: owasp-leaders-boun...@lists.owasp.org [mailto:owasp-leaders-boun...@lists.owasp.org] On Behalf Of kuai hinojosa Sent: Wednesday, November 04, 2009 11:18 AM To: owasp-lead...@lists.owasp.org Cc: sc-l@securecoding.org Subject: Re: [Owasp-leaders] Question on ISACA On Nov 4, 2009, at 11:11 AM, Dan Cornell wrote: > I've worked with a number of IT auditors in the past and that is a > fair characterization, based on my experiences. Most of the folks in > that job function I have worked with are, at best, infrastructure > security folks who have moved to IT audit, but many are CPAs by > background or have other non-IT experience bases. > > The majority of the time I have worked with IT auditors it has been > helping them to translate their audit requirement into reasonable > technical measures that can be taken that meet those requirements and > then helping them to interpret the results of Threat Models, code and > application scans, etc so they can determine if they feel comfortable > that their audit requirements have been met. > > As for what OWASP can do I think the manager-focused documentation for > the OWASP Top 10, etc is helpful in translating fairly technical > information to the level of business risk. There was work done a > while back on ISO 17799 mappings and resurrecting that and providing > further application-level guidance for these compliance/audit regimes > might be helpful. I believe this is one of the initiatives of the Global Education Committee, we are planning on structuring and "translating" documents for different target audience, managers being one. > > Have other folks on the list fielded questions from IT auditors who > were looking for further direction? > > Thanks, > > Dan > ________________________________________ > From: owasp-leaders-boun...@lists.owasp.org > [owasp-leaders-boun...@lists.owasp.org > ] On Behalf Of McGovern, James F. (eBusiness) > [james.mcgov...@thehartford.com ] > Sent: Wednesday, November 04, 2009 9:38 AM > To: owasp-lead...@lists.owasp.org; sc-l@securecoding.org > Subject: [Owasp-leaders] Question on ISACA > > John Morency of Gartner just finished giving a presentation to our IT > executives and one of the observations is that IT auditors have zero > clue as to how to audit a secure coding practice. IT audit right now > is limited to simply looking at "control" documents and viewing things > through the lens of "infrastructure". Is there something we as a > community should be doing to make auditors smarter? > > ************************************************************ > This communication, including attachments, is for the exclusive use of > addressee and may contain proprietary, confidential and/or privileged > information. If you are not the intended recipient, any use, copying, > disclosure, dissemination or distribution is strictly prohibited. If > you are not the intended recipient, please notify the sender > immediately by return e-mail, delete this communication and destroy > all copies. > ************************************************************ > > > > _______________________________________________ > OWASP-Leaders mailing list > owasp-lead...@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-leaders _______________________________________________ OWASP-Leaders mailing list owasp-lead...@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-leaders ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
