Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Shea, Brian A
Security is a tradeoff game between risk and cost in my experience. So the least privilege question comes down to practical matters like knowing the execution environment, knowing the requirements of the tasks being executed, and knowing where those intersect with the ability of the user or

Re: [SC-L] Programming language comparison?

2008-02-06 Thread Shea, Brian A
It seems like this exchange is focused on whether bug / flaw classes can be applied to All programming languages or not. Isn't the question at hand which languages have the property Subject to bug / flaw class XXX (true | false), and not whether you can find one or more class that fits the All

Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

2007-11-30 Thread Shea, Brian A
IMO the path to changing the dynamics for secure coding will reside in the market, the courts, and the capacity of the software industry to measure and test itself and to demonstrate the desired properties of security, quality, and suitability for purpose. In today's market we do well in

Re: [SC-L] Software security video podcast

2007-10-29 Thread Shea, Brian A
IMO (IANAL) this is a position that is increasingly untenable as we move forward, especially in the consumer markets. As a customer I do, in fact, expect software to operate correctly (per features and functions promised / contracted) but also securely in that is doesn't contain bugs or insecure

Re: [SC-L] Perspectives on Code Scanning

2007-06-07 Thread Shea, Brian A
And answering that correctly requires input from the customer. Which we (TINW) won't have until customers recognize a need for security and get enough clue to know what they want to be secure against. I can't exactly agree with this as there is a distinction (or should be IMO) between security

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Shea, Brian A
The right answer is both IMO. You need the thinkers, integrators, and operators to do it right. The term Security Professional at its basic level simply denotes someone who works to make things secure. You can't be secure with only application security any more than you can be secure with only

RE: [SC-L] How do we improve s/w developer awareness?

2004-12-02 Thread Shea, Brian A
FYI this is part of a notice that went out to financial institutions recently. Complete Financial Institution Letter: Highlights: Management is responsible for ensuring that commercial off-the-shelf (COTS) software packages and