Rohit Sethi wrote: > Recently I sent a note about the Organic Progression of the Secure SDLC. > One of the major points that we raise in that model is the difficulty with > "Climbing the Wall": Getting the lines of business to commit resource > to application/software security. This is one of the most fundamental > challenges in building a secure SDLC. > > We offer some simple high level thoughts and a PPT deck you can use here: > http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cycle-9-steps/how-climb-wall/ > > I'm curious to see what others have have done / seen to climb the > wall effectively
I can't speak for others--although I think that the BSIMM data bears this out--is that our company formed a separate Application Security team. This team was placed within the IT organization (vs. under Risk Management) and was comprised of staff with extensive and varied application development experience who had a common interest in application security. (Note that this team was formed 11 years ago and for the most part, is still intact. I was the technical lead of this group up until about 6 months ago.) For us, this worked out well. Among the first initiatives of this group was to build a custom proprietary application security library similar in intent to ESAPI (although much less ambitious). We also evaluated several vendor web access management solutions, chose one, and then over the period of the last 8 or 9 years, integrated that that vendor solution with close to 250 applications, both internal and external. For the first several years, we also offered free consulting to internal development groups. I think the keys to the team's success in "climbing the wall" was that it was placed under the IT organization and it was made up of senior developers who had lots of development experience. (I've always believed it's easier to teach a good developer about security than it is to teach a security person about development.) The later was important because they speak the same lingo as developers and could identify with the obstacles that developers face. It's not perfect, but it seems to have been relatively successful. -kevin --- Kevin W. Wall CenturyLink / Risk Mgmt / Information Security kevin.w...@qwest.com Phone: 614.215.4788 Blog: http://off-the-wall-security.blogspot.com/ "There are only 10 types of people in the world...those who can count in binary and those who can't." ________________________________ This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________