Kevin, that's fantastic insight. If you convert it to a blog posting I'll add a link to it
On Thu, Jul 28, 2011 at 1:01 PM, Wall, Kevin <kevin.w...@qwest.com> wrote: > Rohit Sethi wrote:**** > > ** ** > > > Recently I sent a note about the Organic Progression of the Secure SDLC. > **** > > > One of the major points that we raise in that model is the difficulty > with**** > > > "Climbing the Wall": Getting the lines of business to commit resource*** > * > > > to application/software security. This is one of the most fundamental*** > * > > > challenges in building a secure SDLC.**** > > >** ** > > > We offer some simple high level thoughts and a PPT deck you can use here: > **** > > > > http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cycle-9-steps/how-climb-wall/ > **** > > > **** > > > I'm curious to see what others have have done / seen to climb the**** > > > wall effectively**** > > ** ** > > I can't speak for others--although I think that the BSIMM data bears this* > *** > > out--is that our company formed a separate Application Security team. This > team**** > > was placed within the IT organization (vs. under Risk Management) and was* > *** > > comprised of staff with extensive and varied application development > experience**** > > who had a common interest in application security. (Note that this team was > **** > > formed 11 years ago and for the most part, is still intact. I was the > technical lead**** > > of this group up until about 6 months ago.)**** > > ** ** > > For us, this worked out well. Among the first initiatives of this group*** > * > > was to build a custom proprietary application security library similar**** > > in intent to ESAPI (although much less ambitious). We also evaluated**** > > several vendor web access management solutions, chose one, and then over** > ** > > the period of the last 8 or 9 years, integrated that that vendor solution > with**** > > close to 250 applications, both internal and external. For the first > several**** > > years, we also offered free consulting to internal development groups.**** > > ** ** > > I think the keys to the team’s success in "climbing the wall" was that it > was**** > > placed under the IT organization and it was made up of senior developers** > ** > > who had lots of development experience. (I’ve always believed it’s easier > to**** > > teach a good developer about security than it is to teach a security person > **** > > about development.) The later was important because they speak the same*** > * > > lingo as developers and could identify with the obstacles that developers > face.**** > > It’s not perfect, but it seems to have been relatively successful.**** > > ** ** > > -kevin**** > > --- > Kevin W. Wall CenturyLink / Risk Mgmt / Information Security > kevin.w...@qwest.com Phone: 614.215.4788**** > > Blog: http://off-the-wall-security.blogspot.com/**** > > "There are only 10 types of people in the world...those who can count**** > > in binary and those who can't."**** > > ** ** > > ------------------------------ > This communication is the property of Qwest and may contain confidential or > privileged information. Unauthorized use of this communication is strictly > prohibited and may be unlawful. If you have received this communication > in error, please immediately notify the sender by reply e-mail and destroy > all copies of the communication and any attachments. > -- Rohit Sethi SD Elements http://www.sdelements.com twitter: rksethi
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
