At 08:01 AM 22/12/2009, Mike Boberski wrote:
Hi Gary.
To play devil's advocate:
Current organizational practices aside, I would say that
organizations really need more and better toolkits and standards for
developers to use, than they need more and better committees.
I'd have to agree -
I accidentally hijacked this thread with S/MIME last night. Mailman can't do
base64 encoding. Oops
From: Gary McGraw
To: 'mike.bober...@gmail.com' ; 'davel...@microsoft.com'
Cc: 'SC-L@securecoding.org' ; 'dustin.sulli...@informit.com'
Sent: Mon Dec 21
Mike Boberski mike.bober...@gmail.com wrote:
A toolkit example that comes to mind, to keep this email short: the
highly-matrixed environment (and actually also the smaller environment, now
that I think about it) where developers fly on and off projects.
I don't quite grok what you're saying
hi bret and mike,
While you guys are certainly entitled to your opinion, I think it is important
to acknowledge facts when you state an argument. Please take a few minutes to
read the article I posted on SSG's (this committee language you're both using
is very humorous BTW...thanks for the
I think the short-term assertion is sound (setup a group to make a push
in training, awareness, and integration with SOP), but I'm not convinced
the long-term assertion (that is, maintaining the group past the initial
push) is in fact meritorious. I think there's a danger in setting up
dedicated
hi ben,
You may be right. We have observed that the longer an initiative is underway
(we have one in the study that checks in at 14 years old), the more actual
activity tends to get pushed out to dev. You may recall from the BSIMM that we
call this the satellite. Microsoft has an extensive
but it is nowhere near as important or as effective as teaching defensive
programming
I.e., arming developers with toolkits that perform expected security checks and
that result in expected security effects, and making sure they can use them.
Not a sermon just a thought, as the local radio