[SC-L] OWASP Publicity

2007-11-15 Thread McGovern, James F (HTSC, IT)
I have observed an interesting behavior in that the vast majority of IT
executives still haven't heard about the principles behind secure
coding. My take says that we are publishing information in all the wrong
places. IT executives don't really read ACM, IEEE or other the sporadic
posting from bloggers but they do read CIO, Wall Street Journal and most
importantly listen to each other.

What do folks on this list think about asking the magazines and
newspapers to publish? I am willing to gather contact information of
news reporters and others within the media if others are willing to
amplify the call to action in terms of contacting them. 



*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] OWASP Publicity

2007-11-15 Thread Gunnar Peterson
Local boy makes good

http://online.wsj.com/article/0,,SB112128453130584810,00-search.html

-gp


On 11/15/07 10:25 AM, McGovern, James F (HTSC, IT)
[EMAIL PROTECTED] wrote:

 I have observed an interesting behavior in that the vast majority of IT
 executives still haven't heard about the principles behind secure
 coding. My take says that we are publishing information in all the wrong
 places. IT executives don't really read ACM, IEEE or other the sporadic
 posting from bloggers but they do read CIO, Wall Street Journal and most
 importantly listen to each other.
 
 What do folks on this list think about asking the magazines and
 newspapers to publish? I am willing to gather contact information of
 news reporters and others within the media if others are willing to
 amplify the call to action in terms of contacting them.
 
 
 
 *
 This communication, including attachments, is
 for the exclusive use of addressee and may contain proprietary,
 confidential and/or privileged information.  If you are not the intended
 recipient, any use, copying, disclosure, dissemination or distribution is
 strictly prohibited.  If you are not the intended recipient, please notify
 the sender immediately by return e-mail, delete this communication and
 destroy all copies.
 *
 
 
 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 ___
 


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] OWASP Publicity

2007-11-15 Thread Crispin Cowan
McGovern, James F (HTSC, IT) wrote:
 I have observed an interesting behavior in that the vast majority of IT
 executives still haven't heard about the principles behind secure
 coding. My take says that we are publishing information in all the wrong
 places. IT executives don't really read ACM, IEEE or other the sporadic
 posting from bloggers but they do read CIO, Wall Street Journal and most
 importantly listen to each other.

 What do folks on this list think about asking the magazines and
 newspapers to publish? I am willing to gather contact information of
 news reporters and others within the media if others are willing to
 amplify the call to action in terms of contacting them. 
   
The vast majority of IT executives are unfamiliar with all of the
principles of security, firewalls, coding, whatever.

The important thing to understand is that such principles are below
their granularity; then are *right* to not care about such principles,
because they can't do anything about them. Their granularity of decision
making is which products to buy, which strategies to adopt, which
managers to hire and fire. Suppose they did understand the principles of
secure coding; how then would they use that to decide between firewalls?
Web servers? Application servers?

If anything, the idea that needs to be pitched to IT executives is to
pay more attention to quality than to shiny buttons  features. But
there's the rub, what is quality and how can an IT executive measure it?

I have lots of informal metrics that I use to measure quality, but they
largely amount to synthesized reputation capital, derived from reading
bugtraq and the like with respect to how many vulnerabilities I see with
respect to a given product, e.g. Qmail and Postifx are extremely secure,
Pidgin not so much :)

But as soon as we formalize anything like this kind of metric, and get
executives to start buying according to it, then vendors start gaming
the system. They start developing aiming at getting the highest
whatever-metric score they can, rather than for actual quality. This
happens because metrics that approximate quality are always cheaper to
achieve than actual quality.

This is a very, very hard problem, and sad to say, but pitching articles
articles on principles to executives won't solve it.

Crispin

-- 
Crispin Cowan, Ph.D.   http://crispincowan.com/~crispin
CEO, Mercenary Linux   http://mercenarylinux.com/
   Itanium. Vista. GPLv3. Complexity at work

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] OWASP Publicity

2007-11-15 Thread Bernie Rosen
But, if you get the ideas in front of the C-Suite folks and it
resonates, then they push it down the lines in their organization where,
one hopes, those who should pay attention will pay attention. Awareness,
I would think, is what matters.

My $0.02 for the week. 

Bernie


Bernie Rosen
Director, Juniper SIRT
1-408-936-4809 Direct
1-650-714-8255 Mobile
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crispin Cowan
Sent: Thu 15 Nov 2007 12:29
To: McGovern, James F (HTSC, IT)
Cc: Secure Coding
Subject: Re: [SC-L] OWASP Publicity

McGovern, James F (HTSC, IT) wrote:
 I have observed an interesting behavior in that the vast majority of 
 IT executives still haven't heard about the principles behind secure 
 coding. My take says that we are publishing information in all the 
 wrong places. IT executives don't really read ACM, IEEE or other the 
 sporadic posting from bloggers but they do read CIO, Wall Street 
 Journal and most importantly listen to each other.

 What do folks on this list think about asking the magazines and 
 newspapers to publish? I am willing to gather contact information of 
 news reporters and others within the media if others are willing to 
 amplify the call to action in terms of contacting them.
   
The vast majority of IT executives are unfamiliar with all of the
principles of security, firewalls, coding, whatever.

The important thing to understand is that such principles are below
their granularity; then are *right* to not care about such principles,
because they can't do anything about them. Their granularity of decision
making is which products to buy, which strategies to adopt, which
managers to hire and fire. Suppose they did understand the principles of
secure coding; how then would they use that to decide between firewalls?
Web servers? Application servers?

If anything, the idea that needs to be pitched to IT executives is to
pay more attention to quality than to shiny buttons  features. But
there's the rub, what is quality and how can an IT executive measure
it?

I have lots of informal metrics that I use to measure quality, but they
largely amount to synthesized reputation capital, derived from reading
bugtraq and the like with respect to how many vulnerabilities I see with
respect to a given product, e.g. Qmail and Postifx are extremely secure,
Pidgin not so much :)

But as soon as we formalize anything like this kind of metric, and get
executives to start buying according to it, then vendors start gaming
the system. They start developing aiming at getting the highest
whatever-metric score they can, rather than for actual quality. This
happens because metrics that approximate quality are always cheaper to
achieve than actual quality.

This is a very, very hard problem, and sad to say, but pitching articles
articles on principles to executives won't solve it.

Crispin

-- 
Crispin Cowan, Ph.D.   http://crispincowan.com/~crispin
CEO, Mercenary Linux   http://mercenarylinux.com/
   Itanium. Vista. GPLv3. Complexity at work

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org List
information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com) as a free, non-commercial service to the software
security community.
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] OWASP Publicity

2007-11-15 Thread Gary McGraw
Thanks gunnar.  That was a gratifying article that I am proud of.

We've garnered good coverage as a field in CIO magazine too.  I don't think 
it's as simple as having ink in the right locations, but I do agree with james 
that that helps.  Software security is continuing to spread and grow, and we 
need to keep the good work coming.

gem



- Original Message -
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
To: James McGovern [EMAIL PROTECTED]; Secure Mailing List 
SC-L@securecoding.org
Sent: Thu Nov 15 15:46:13 2007
Subject: Re: [SC-L] OWASP Publicity

Local boy makes good

http://online.wsj.com/article/0,,SB112128453130584810,00-search.html

-gp


On 11/15/07 10:25 AM, McGovern, James F (HTSC, IT)
[EMAIL PROTECTED] wrote:

 I have observed an interesting behavior in that the vast majority of IT
 executives still haven't heard about the principles behind secure
 coding. My take says that we are publishing information in all the wrong
 places. IT executives don't really read ACM, IEEE or other the sporadic
 posting from bloggers but they do read CIO, Wall Street Journal and most
 importantly listen to each other.

 What do folks on this list think about asking the magazines and
 newspapers to publish? I am willing to gather contact information of
 news reporters and others within the media if others are willing to
 amplify the call to action in terms of contacting them.



 *
 This communication, including attachments, is
 for the exclusive use of addressee and may contain proprietary,
 confidential and/or privileged information.  If you are not the intended
 recipient, any use, copying, disclosure, dissemination or distribution is
 strictly prohibited.  If you are not the intended recipient, please notify
 the sender immediately by return e-mail, delete this communication and
 destroy all copies.
 *


 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 ___



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___