Re: [SC-L] Darkreading: compliance

[ljknews]

At 9:29 AM -0400 3/30/07, Benjamin Tomhave wrote:

> SOX has been a complete waste, imo.  First, the majority of it was already
> covered in existing law.  Second, it really has nothing to do with security
> from a practical standpoint.  The only purpose SOX has served is to give
> auditors another source of revenue.  And, worse than that, it initially gave
> auditors the appearance of more power and responsibility, which I saw
> carried out in external auditors trying to dictate to businesses how the
> business should operate (and not in a good way).  Talk about a fundamental
> violation of independence and objectivity.  The pendulum has fortunately
> swung back on that trend.
> 
> PCI DSS, on the other hand, has been a very good effort with real,
> meaningful results.  Why is this?  Well, for one thing, it's specific.  As
> opposed to SOX, which paints with broad strokes and focuses on truth in
> reporting (gross oversimplification), PCI DSS goes into technical detail on
> what activities must be implemented, what minimum measures are for adequate
> security in a system, etc.  Perhaps the best example of this thought is
> section 3.6 in DSS v1.1, where it details the minimum requirements for key
> management.  It makes my job much easier having this level of detail, with
> much less left to interpretation (again, unlike SOX, where almost everything
> is open to interpretation and the whim of your auditors).

That parenthetical comment is almost verbatim the description of SOX
I received from someone who is subject to SOX audits.

My own nomination for specificity in security standards is NIST Special
Publication 800-53 (currently at Revision 1).

   http://csrc.nist.gov/publications/nistpubs/index.html#sp800-53-Rev1

Through all the controls there is only one requirement with which I disagree.
-- 
Larry Kilgallen
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Darkreading: compliance

[Benjamin Tomhave]

Running a little behind... :)

SOX has been a complete waste, imo.  First, the majority of it was already
covered in existing law.  Second, it really has nothing to do with security
from a practical standpoint.  The only purpose SOX has served is to give
auditors another source of revenue.  And, worse than that, it initially gave
auditors the appearance of more power and responsibility, which I saw
carried out in external auditors trying to dictate to businesses how the
business should operate (and not in a good way).  Talk about a fundamental
violation of independence and objectivity.  The pendulum has fortunately
swung back on that trend.

PCI DSS, on the other hand, has been a very good effort with real,
meaningful results.  Why is this?  Well, for one thing, it's specific.  As
opposed to SOX, which paints with broad strokes and focuses on truth in
reporting (gross oversimplification), PCI DSS goes into technical detail on
what activities must be implemented, what minimum measures are for adequate
security in a system, etc.  Perhaps the best example of this thought is
section 3.6 in DSS v1.1, where it details the minimum requirements for key
management.  It makes my job much easier having this level of detail, with
much less left to interpretation (again, unlike SOX, where almost everything
is open to interpretation and the whim of your auditors).

So, overall, are regulations good and useful?  Yes, but with the caveat that
they need to be specific enough to indicate an actual direction and
associated actions.  Oh, and it helps to have follow-through.  Visa and co.
are starting to fine companies for lack of compliance.  Maybe there have
been SOX fines, but I can't think of any examples.  I think it's also
extremely important to note the difference in efficacy between a generic
knee-jerk government regulation and a specific, business-driven industry
regulation.

fwiw.

-ben

---
Benjamin Tomhave, MS, CISSP, NSA-IAM, NSA-IEM
[EMAIL PROTECTED]
Web: http://falcon.secureconsulting.net/
LI: http://www.linkedin.com/profile?viewProfile=&key=1539292
Blog: http://www.secureconsulting.net/
Photos: http://photos.secureconsulting.net/

"We must scrupulously guard the civil rights and civil liberties of all
citizens, whatever their background. We must remember that any oppression,
any injustice, any hatred is a wedge designed to attack our civilization."
-President Franklin Delano Roosevelt
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Gary McGraw
> Sent: Monday, March 12, 2007 4:53 PM
> To: SC-L@securecoding.org
> Subject: [SC-L] Darkreading: compliance
> 
> hi sc-l,
> 
> this month's darkreading column is about compliance.  my own 
> belief is that compliance has really helped move software 
> security forward.  in particular, sox and pci have been a boon:
> 
> http://www.darkreading.com/document.asp?doc_id=119163
> 
> what do you think?  have compliance efforts you know about 
> helped to forward software security?
> 
> gem
> 
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
> 
> 
> 
> --
> --
> This electronic message transmission contains information 
> that may be confidential or privileged.  The information 
> contained herein is intended solely for the recipient and use 
> by any other party is not authorized.  If you are not the 
> intended recipient (or otherwise authorized to receive this 
> message by the intended recipient), any disclosure, copying, 
> distribution or use of the contents of the information is 
> prohibited.  If you have received this electronic message 
> transmission in error, please contact the sender by reply 
> email and delete all copies of this message.  Cigital, Inc. 
> accepts no responsibility for any loss or damage resulting 
> directly or indirectly from the use of this email or its contents.
> Thank You.
> --
> --
> 
> ___
> Secure Coding mailing list (SC-L) SC-L@securecoding.org List 
> information, subscriptions, etc - 
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - 
> http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC 
> (http://www.KRvW.com) as a free, non-commercial service to 
> the software security community.
> ___
> 

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
__

[SC-L] SANS Software Security Institute announced

[Kenneth Van Wyk]

FYI, the folks at SANS have announced the launch of their Software  
Security Institute (see http://www.sans-ssi.org/ for details).


Their web site cites the following 6 goals:

* Allow employers to rate their programmers on security skills  
so they can be confident that every project has at least one  
"security master" and all of their programmers understand the common  
errors and how to avoid them.
* Provide a means for buyers of software and systems vendors to  
measure the secure programming skills of the people who work for the  
supplier.
* Allow programmers to identify their gaps in secure programming  
knowledge in the language they use and target education to fill those  
gaps.
* Allow employers to evaluate job candidates and potential  
consultants on their secure programming skills and knowledge.
* Provide incentive for universities to include secure coding in  
required computer science, engineering, and programming courses.
* Provide reporting to allow individuals and organizations to  
compare their skills against others in their industry, with similar  
education or experience or in similar regions around the world.


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___