Another approach is decentralized specialized teams, centers of excellence
in current managementspeak, with a specific agenda and expertise on an area
deemed strategic. This approach is probably best paired with 2,3, or 4 from
your list. For example, a roving specialized threat modeling team that
Gary,
Interesting article. May I ask, why get started with only one of these
approaches? Since 1-3 effects different parts of the organization
(portfolio risk seems like a biz-management approach, top-down framework
seems to effect software development management, and training effects
hi gp,
Yup. I count that as 1 (top-down framework) because that approach often leads
with the creation of a special ops execution team that becomes the software
security group. By far, this is the most impressive approach in terms of
results and the one that is the most effective in well-run
Good points Ken.
I lurk on a top-secret open source list that has been discussing this since New
Years. I posted an entry on Justice League with my partially formed opinion:
http://www.cigital.com/justiceleague/2008/01/09/on-open-source/
I have also written a longer piece, which will be posted
Another question is how many of the reported bugs wound up being false
positives. Through casual conversations with some vendor (I forget whom),
it became clear that the massive number of reported issues was very
time-consuming to deal with, and not always productive. Of course this is
no