I for one am pretty satisfied with the rate at which things are
progressing
I dunno...
Again, trying to keep it pithy: I for one welcome our eventual new [insert
hostile nation state here] overlords. /joke
What I see from my vantage point is a majority of people who (1)should know
better given
Fun article. To try to be equally pithy in my response: the article reads to
me like a high-tech, application security-specific form of McCarthyism.
To explain...
The amount of reinvention and discussion about the problems in this space is
spectacular.
If one has something to start from which
But the vast majority of clients I work with don't have the time or need
or ability to take advantage of BSIMM
Mike's Top 5 Web Application Security Countermeasures:
1. Add a security guy or gal who has a software development background to
your application's software development team.
2. Turn
we start to create standards for how Security Controls should behave [and
basically the rest of the post]
I submit ASVS for your consideration. If one is further concerned about
building blocks in the environment, check out Common Criteria and FIPS
140-2.
Also,
There have also been discussions
Hi Gary.
To play devil's advocate:
Current organizational practices aside, I would say that organizations
really need more and better toolkits and standards for developers to use,
than they need more and better committees.
A toolkit example that comes to mind, to keep this email short: the
and standardize to the extent
possible, then advise/adjudicate as necessary for situations that don’t fit
the norm.
Dave
*From:* Mike Boberski [mailto:mike.bober...@gmail.com]
*Sent:* Monday, December 21, 2009 5:22 PM
*To:* Gary McGraw
*Cc:* David Ladd; SC-L@securecoding.org; dustin.sulli
orgs,
and certainly aren’t proprietary to Microsoft.
Dave
*From:* Mike Boberski [mailto:mike.bober...@gmail.com]
*Sent:* Monday, December 21, 2009 5:46 PM
*To:* David Ladd
*Cc:* Gary McGraw; SC-L@securecoding.org; dustin.sulli...@informit.com
*Subject:* Re: [SC-L] InformIT: You need