Re: [SC-L] InformIT: You need an SSG

2009-12-22 Thread Bret Watson

At 08:01 AM 22/12/2009, Mike Boberski wrote:

Hi Gary.

To play devil's advocate:

Current organizational practices aside, I would say that 
organizations really need more and better toolkits and standards for 
developers to use, than they need more and better committees.


I'd have to agree - whilst SSG is probably a great opportunity for a 
management consultant, it rarely delivers anything directly useful. 
In fact I would go as far as to say that if a SSG delivers something 
useful, the organisation was already ready to deliver the changes. 
Committees rarely take direct ownership of a problem.


Toolsets may or may not deliver results - depending on if there are 
ways around them - too often you hear the excuse we can't waste time 
with that - the business won't wait


However toolset will work if you have a good properly supported 
securty mgmt function :)


Cheers

Bret

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Announcing LAMN: Legion Against Meaningless certificatioNs

2009-03-22 Thread Bret Watson
Which is why I list that I have _had_ a CISSP, but am currently 
non-financial.. It was too damn easy to pass and too damn hard to 
keep up with the CPE point entry...

:) I was LAMN member #8 :) Best number :)

Cheers

Bret



At 03:38 PM 21/03/2009, Joe Teff wrote:
I notice certs like CISSP when hiring. It says the person has a 
basic understanding of all IS security areas. Nothing more. If 
someone can't pass the CISSP then I have to wonder why.

-Original Message-
From: Paco Hope p...@cigital.com
To: SC-L@securecoding.org SC-L@securecoding.org
Date: Thu, 19 Mar 2009 11:36:45 -0400
Subject: Re: [SC-L] Announcing LAMN: Legion Against Meaningless certificatioNs

On 3/18/09 5:29 PM, Jeremy Epstein jeremy.j.epst...@gmail.com wrote:

  If you don't have a CISSP, CISM, MCSE, or EIEIO - and you're proud of it

...then I'd say you have an overly simplistic view of the world.

Anyone who believes that a credential automatically conveys some magical
knowledge that you didn't have before is just as overly-simplistic as
someone who disparages all credentials equally. It just isn't a black and
white world.

Paco
--
Paco Hope, CISSP, CSSLP
Technical Manager, Cigital, Inc
http://www.cigital.com/http://www.cigital.com/ ? +1.703.585.7868
Software Confidence. Achieved.


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - 
http://krvw.com/mailman/listinfo/sc-lhttp://krvw.com/mailman/listinfo/sc-l
List charter available at - 
http://www.securecoding.org/list/charter.phphttp://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC 
(http://www.KRvW.comhttp://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Question about SSE-CMM

2007-10-08 Thread Bret Watson
Hi Fransisco,
definitely - the principles are the same. I used 
this a couple of years ago to bring a group from 
0 to lvl 1... Of course what really tends to 
happen is that some parts actually move to 3+ 
whilst others only just make it to 1 level - and 
by the rules of CMM you can only claim the level 
that all processes have achieved.

This may be your confusion as SSE-CMM spends more 
time talking about this that CMMI

Cheers,

Bret


At 07:00 PM 8/10/2007, Francisco Nunes wrote:
Dear list members.

After reading SSE-CMM, I became confused whether
SSE-CMM can be used to improve their PAs like CMMI
does, i.e., both improve in continuous or in staged
way.

Please, what are your opinions?

Thank you.

Yours sincerely,
Francisco.


   Abra sua conta no Yahoo! Mail, o único 
 sem limite de espaço para armazenamento!
http://br.mail.yahoo.com/
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Really dumb questions?

2007-08-30 Thread Bret Watson
At 10:51 PM 29/08/2007, McGovern, James F (HTSC, IT) wrote:


- So when a vendor says that they are focused on quality and not
security, and vice versa what exactly does this mean? I don't have a
great mental model of something that is a security concern that isn't a
predictor of quality. Likewise, in terms of quality, other than
producing metrics on things such as depth of inheritance, cyclomatic
complexity, etc wouldn't bad numbers here at least be a predictor of a
bad design and therefore warrant deeper inspection from a security
perspective?


My opinion is that security and quality are inherently related. Poor 
security indicates poor design, poor testing etc  poor quality 
management tends to result in poor application security..


In fact two jobs ago I used this argument to implement security at a 
company who was extremely strong in quality (5% of the workforce 
belonged to the quality dept). I've also found that using quality 
tools such as FMECA etc for security assessments works very easily.

Cheers

Bret 
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] MetriCon 2.0 CFP

2007-04-25 Thread Bret Watson
You know its a little off topic - but I'd kill for a set of metrics 
around the effectiveness/efficiency of a SOC :)

Anyone got any ideas? The usual events per person type metrics are 
backwards (good security means less events so lower efficiency

Thanks

Bret

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___