Another question is how many of the reported bugs wound up being false
positives. Through casual conversations with some vendor (I forget whom),
it became clear that the massive number of reported issues was very
time-consuming to deal with, and not always productive. Of course this is
no surpri
Hi Andy,
Good point about 4 (tool first). Sometimes security feature rollout can
provide a good impetus. We saw that too, focused around crypto for PCI with
one of our major customers.
The only real danger with following that path is that you tend to emphasize
that security is a feature (and
Good points Ken.
I lurk on a top-secret open source list that has been discussing this since New
Years. I posted an entry on Justice League with my partially formed opinion:
http://www.cigital.com/justiceleague/2008/01/09/on-open-source/
I have also written a longer piece, which will be posted
Hi Jim,
Good question. Often a coordinated/distributed approach will work. However,
to make things simple, I tried to untangle the threads. We have actual
customers who have followed each of the 4 paths (with other interesting twists
of course), so it made sense to carve things out that way
hi gp,
Yup. I count that as 1 (top-down framework) because that approach often leads
with the creation of a special ops execution team that becomes the software
security group. By far, this is the most impressive approach in terms of
results and the one that is the most effective in well-run
SC-L,
I imagine many of you have seen the results of Coverity's DHS-funded
scan of a *bunch* of open source projects:
http://www.informationweek.com/story/showArticle.jhtml?articleID=205600229&cid=RSSfeed_IWK_All
The stats are interesting, I suppose. I don't see any prioritization
of the
Gary,
Interesting article. May I ask, why get started with only one of these
approaches? Since 1-3 effects different parts of the organization
(portfolio risk seems like a biz-management approach, top-down framework
seems to effect software development management, and training effects
develope
On Jan 9, 2008 4:48 PM, Gary McGraw <[EMAIL PROTECTED]> wrote:
> hi sc-l,
>
> One of the biggest hurdles facing software security is the problem of how to
> get started, especially when faced with an enterprise-level challenge. My
> first darkreading column for 2008 is about how to get started i
Another approach is decentralized specialized teams, centers of excellence
in current managementspeak, with a specific agenda and expertise on an area
deemed strategic. This approach is probably best paired with 2,3, or 4 from
your list. For example, a roving specialized threat modeling team that w