Eoin, I think your take on SAMM is interesting. I think the difference
is not to look for evidence but to measure against controls. Auditors
use the notion of controls to figure out good vs bad and is less fluid /
abstract that simply seeking evidence. I wonder if Pravir or others that
thought abou
My thought was a little different than thinking of this as an
educational activity. My thinking says this is more about how groups
such as OWASP should "JOINTLY" publish with groups such as ISACA. On the
radar of most enterprisey types are emerging legislation such as Mass
Privacy will have audit-s
Wheeler, David A wrote:
Gadi Evron said:
David, this is very cool indeed. Thank you for sharing, and a lot of luck!
Thanks!
I'd like to note in a semi-related fashion that the concept of trusting
trust, while in the original paper limited to the compiler case, is a
generic concept in securit
John Morency of Gartner just finished giving a presentation to our IT
executives and one of the observations is that IT auditors have zero
clue as to how to audit a secure coding practice. IT audit right now is
limited to simply looking at "control" documents and viewing things
through the lens of
Gadi Evron said:
> David, this is very cool indeed. Thank you for sharing, and a lot of luck!
Thanks!
> I'd like to note in a semi-related fashion that the concept of trusting
> trust, while in the original paper limited to the compiler case, is a
> generic concept in security and could go on up
Wheeler, David A wrote:
All -
As you know, in the "trusting trust" attack, compilers can be subverted to
insert malicious Trojan horses into critical software... including themselves. This
turns out to be a nasty attack that's not easy to counter.
I've just released my draft PhD dissertation