Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-27 Thread McGovern, James F (HTSC, IT)
Yet another perspective. I believe that this question may be somewhat flawed as it doesn't take into consideration certain demographic challenges. Right now the model seems to be based on either being academic (sitting through a semester of some old fog with no real-world experience blabbering

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-27 Thread McGovern, James F (HTSC, IT)
We are NOT craftsmen by any stretch of the imagination. If you have ever worked in a large enterprise, the ability to change roles and be fluid in one's career is rewarding yet has unintended consequences. If I went to my boss tomorrow and said that I no longer want to be an architect and

[SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread McGovern, James F (HTSC, IT)
There are several perspectives missing from the dialog: - Before we even talk about secure coding, we need a course on secure thinking. Most folks are indoctrinated into thinking positive which blinds them from seeing vulnerabilities right in front of them. A prereq on being antisocial might be a

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-22 Thread McGovern, James F (HTSC, IT)
Are there any industry metrics that indicate what percentage of full-time software developers actually learned coding in a university setting? I actually learned in high-school, focused on business administration in college (easiest major on the planet) and learned/matured on the job. Likewise, I

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-20 Thread McGovern, James F (HTSC, IT)
Here is where my enterpriseyness will show. I believe the answer to the question of where secure coding belongs in the curiculum is somewhat flawed and requires addressing the curiculum holistically. If you go to art school, you are required to study the works of the masters. You don't attempt

Re: [SC-L] Work in the Secure Development/Secure Code Review Area?

2009-06-19 Thread McGovern, James F (HTSC, IT)
The market for doing freelance writing has all but disappeared. You could consider writing a book but you would probably earn more money working at MacDonalds bagging fries than writing. In terms of presentations, most conferences/events also do not pay. If you managed to however put together

[SC-L] OWASP Hartford: Scott Ambler - Agility and Security: Two Great Tastes Which Go Great Together

2009-04-14 Thread McGovern, James F (HTSC, IT)
@securecoding.org ORGANIZER;CN=McGovern, James F (HTSC, IT):MAILTO:james.mcgov...@thehartfo rd.com LOCATION:The Hartford: 55 Farmington Avenue\, The Great Room DTEND;TZID=(GMT-05.00) Eastern Time (US Canada):20090413T18 DESCRIPTION:The Hartford Chapter of OWASP is pleased to announce Scott Ambl

Re: [SC-L] OWASP interviews McGraw (oh my)

2009-01-26 Thread McGovern, James F (HTSC, IT)
Some questions that I would have asked: 1. The trend towards offshoring software development is increasing. When do you think customers will be able to have confidence in the ability of outsourcing vendors to develop secure software without it being considered a special service? 2. Do you think

Re: [SC-L] FW: How Can You Tell It Is Written Securely?

2008-12-01 Thread McGovern, James F (HTSC, IT)
Asking about security in terms of an RFP is a big joke and reminds me of tactics I used in sixth grade when I used to figure out creative ways of answering a question by turning the question into an answer. One has to acknowledge that RFPs are not authoratative and are usually completed by sales

Re: [SC-L] FW: How Can You Tell It Is Written Securely?

2008-12-01 Thread McGovern, James F (HTSC, IT)
Message- From: Jim Manico [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 4:44 PM To: McGovern, James F (HTSC, IT) Cc: SC-L@securecoding.org Subject: Re: [SC-L] FW: How Can You Tell It Is Written Securely? I think adding clear security requirements at the contractual level

Re: [SC-L] FW: How Can You Tell It Is Written Securely?

2008-12-01 Thread McGovern, James F (HTSC, IT)
Some other thoughts that I haven't heard others mention? 1. OK, if you find that they didn't meet all the security requirements, will your business customers still want you to put it into production anyway? If the answer is yes, do you still want them to support it? How do we quantify who is

Re: [SC-L] Language agnostic secure coding guidelines/standards?

2008-11-13 Thread McGovern, James F (HTSC, IT)
Awhile back, I got asked the same question and realized that at some level the question is flawed. Many large enterprises have standards documents that sit on the shelf and the need to create more didn't feel right. Instead, we feel to the posture that we should inverse the problem and instead

Re: [SC-L] (fwd) informIT: A Software Security Framework

2008-10-15 Thread McGovern, James F (HTSC, IT)
The framework that Pravir put together is pretty good. Brian and I did have a conversation awhile back regarding donating it to OWASP for continuation. I plan on making our firm one of the public case studies once they contribute. -Original Message- From: [EMAIL PROTECTED]

[SC-L] OWASP: The Application Security Desk Reference

2008-06-16 Thread McGovern, James F (HTSC, IT)
OWASP needs your help with a new important project. We're creating the OWASP Application Security Desk Reference (ASDR) to capture and organize all the foundational knowledge in application security. Like the Physicians' Desk Reference for doctors, this book is a well-organized reference work

[SC-L] Secure Coding in the Hartford CT Area

2007-12-19 Thread McGovern, James F (HTSC, IT)
I am launching the Hartford CT area chapter of OWASP and figured I would ask if anyone on this list is from my side of town. Likewise, if you know of others that would like to attend our users group, have them subscribe to our mailing list: http://www.owasp.org/index.php/Hartford I am pretty

Re: [SC-L] Code Coverage and Code Quality tools

2007-12-15 Thread McGovern, James F (HTSC, IT)
I think you will see static analysis tools such as Ounce Labs and Fortify emerge with COBOL coverage shortly. I do think it would be intriguing for them to extend their coverage to PL1 though. Assembler and Natural would be a waste of time as most enterprises that do have mainframes should have

Re: [SC-L] OWASP Publicity

2007-11-19 Thread McGovern, James F (HTSC, IT)
The vast majority of IT executives are unfamiliar with all of the principles of security, firewalls, coding, whatever. Are they unfamiliar because of background or they feel that their staff has a handle on it and therefore don't need to pay much atention to it. Both have different

[SC-L] OWASP Publicity

2007-11-15 Thread McGovern, James F (HTSC, IT)
I have observed an interesting behavior in that the vast majority of IT executives still haven't heard about the principles behind secure coding. My take says that we are publishing information in all the wrong places. IT executives don't really read ACM, IEEE or other the sporadic posting from

Re: [SC-L] IT industry creates secure coding advocacy group

2007-11-01 Thread McGovern, James F (HTSC, IT)
I publicly support Gunnar's assertion that folks in large enterprises need to get together as a collective to drive secure coding practices. If you know of others, please do not hesitate to have them connect to me via LinkedIn (I am bad with managing contact information) and I will most certainly

[SC-L] Mainframe Security

2007-11-01 Thread McGovern, James F (HTSC, IT)
I was thinking that there is an opportunity for us otherwise lazy enterprisey types to do our part in order to promote secure coding in an open source way. Small vendors tend to be filled with lots of folks that know C, Java and .NET but may not have anyone who knows COBOL. Minimally, they

[SC-L] Question on the importance of secure coding

2007-09-08 Thread McGovern, James F (HTSC, IT)
Figured I would ask the list for their perspective on why the adoption of secure coding practices is so slow. Generally speaking, not a day goes by where multiple software vendors will email, snail mail, phone, etc their value proposition to some problem in the world of security. They usually do

Re: [SC-L] Software process improvement produces secure software?

2007-08-29 Thread McGovern, James F (HTSC, IT)
One thing that I am firm in my belief is that process is not a substitute for competence. Imagine taking lots of overweight IT guys and training them to ride a horse. That doesn't mean that they will go on to become successful horse jockeys and you would be dumb to bet on them. In terms of

Re: [SC-L] Security Testing track: Software Testing Conference:Washington DC

2007-08-28 Thread McGovern, James F (HTSC, IT)
Upon reading this, I had several thoughts come to mind: 1. If we are to truly solve the last mile, we need to also choose more mainstream conferences such as STPCon (http://www.stpcon.com) since they also have an associated magazine (Software Test and Performance) which may stimulate more

Re: [SC-L] Software Security Training for Developers

2007-08-28 Thread McGovern, James F (HTSC, IT)
My general observation of training firms in this area is that they all tend to use freelance trainers who float between the firms. The notion of customized courseware is something they sell as a feature but honestly feels more like a way to avoid actually developing consistent training approaches

Re: [SC-L] how far we still need to go

2007-08-28 Thread McGovern, James F (HTSC, IT)
Many folks have talked about certification of individuals but is there merit in noodling the notion of a security maturity model? What if end-customers could rank their software vendors in a transparent manner in the same way that outsourcing firms pursue CMMi? The notion of third-party

Re: [SC-L] Resources to fix vulns

2007-07-19 Thread McGovern, James F (HTSC, IT)
I wish formulas were the solution to your question. The problem is that the answer is heavily dependent upon the background of the C-level executive. Some C-Level executives have an analytical background where their backgrounds could have been actuarial, IT, statistics, etc where they would

Re: [SC-L] Resources to fix vulns

2007-07-19 Thread McGovern, James F (HTSC, IT)
I would actually recommend AGAINST using prior track records for fixing previous vulnerabilities because in all honestly they probably don't track it. Most enterprises prioritize any type of defect based on the importance as declared by business users whom traditionally would prioritize a

[SC-L] Instead of the next frontier, how about another frontier

2007-06-28 Thread McGovern, James F (HTSC, IT)
I was thinking, Instead of the next frontier, how about another frontier? Many software vendors pretend that the entire world is either Java or .NET without acknowledging that all of the really good data in many enterprises is sitting on a big ugly mainframe running COBOL, IMS, PL/1, etc. It is

Re: [SC-L] The Next Frontier

2007-06-28 Thread McGovern, James F (HTSC, IT)
, 2007 4:38 PM To: Secure Coding Subject: Re: [SC-L] The Next Frontier On 6/26/07 5:00 PM, McGovern, James F (HTSC, IT) [EMAIL PROTECTED] wrote: Would there be value in terms of defining an XML schema that all tools could emit audit information to? You might want to take a look at what

[SC-L] Comparing Software Vendors

2007-06-28 Thread McGovern, James F (HTSC, IT)
Jerry Leichter commented on flaws in scanning tools but I have a different question. Lots of folks love to attack MS while letting other vendors off the hook.Is there merit in terms of comparing vendor offerings within a particular product line. For example is EMC's Documentum product more secure

Re: [SC-L] What's the next tech problem to be solved in softwaresecurity?

2007-06-11 Thread McGovern, James F (HTSC, IT)
The next problem to be solved is moving higher up the food chain by teaching architects secure architecture principles. Would love to see Gary McGraw tackle this subject in his next book... From: [EMAIL PROTECTED] on behalf of Kenneth Van Wyk Sent: Sun

[SC-L] Perspectives on Code Scanning

2007-06-06 Thread McGovern, James F (HTSC, IT)
I really hope that this email doesn't generate a ton of offline emails and hope that folks will talk publicly. It has been my latest thinking that the value of tools in this space are not really targeted at developers but should be targeted at executives who care about overall quality and

Re: [SC-L] Tools: Evaluation Criteria

2007-05-23 Thread McGovern, James F (HTSC, IT)
is also equally useful. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steven M. Christey Sent: Tuesday, May 22, 2007 12:53 PM To: McGovern, James F (HTSC, IT) Cc: SC-L@securecoding.org Subject: Re: [SC-L] Tools: Evaluation Criteria On Tue, 22 May 2007

[SC-L] Tools: Evaluation Criteria

2007-05-22 Thread McGovern, James F (HTSC, IT)
We will shortly be starting an evaluation of tools to assist in the secure coding practices initiative and have been wildly successful in finding lots of consultants who can assist us in evaluating but absolutely zero in terms of finding RFI/RFPs of others who have travelled this path before

Re: [SC-L] Darkreading: Secure Coding Certification

2007-05-21 Thread McGovern, James F (HTSC, IT)
I agree. The two that I feel should be next in terms of developing certifications around are: - How to describe misuse case and dangerous ommissions for people writing functional specifications: This is highly applicable in outsourcing environments including the Federal Government - Strong

Re: [SC-L] Darkreading: Secure Coding Certification

2007-05-16 Thread McGovern, James F (HTSC, IT)
members here will also be in attendance at the TechForum in NYC (http://www.techforum.com/sf2007_1/index.html) would love to hook up for lunch. -Original Message- From: Gary McGraw [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 16, 2007 4:26 PM To: McGovern, James F (HTSC, IT); 'SC-L

Re: [SC-L] How big is the market?

2007-04-24 Thread McGovern, James F (HTSC, IT)
McGraw [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 24, 2007 11:24 AM To: McGovern, James F (HTSC, IT) Cc: SC-L@securecoding.org Subject: RE: [SC-L] How big is the market? Got it. I like dr. dobbs OK. Do you see that one around? It has software security content every once in a while. What

[SC-L] NYC Security

2007-04-24 Thread McGovern, James F (HTSC, IT)
FYI. Awhile back I mentioned the Technology Managers Forum in which I am a participant. The agenda is finalized and secure coding practices was the number one topic: http://www.techforum.com/sf2007_1/index.html For product vendors and consulting firms that want access to key decision makers,

Re: [SC-L] Silver Bullet: Ross Anderson

2007-04-23 Thread McGovern, James F (HTSC, IT)
Would it be possible for upcoming episodes to have an individual who is directly employed by a Fortune enterprise whose primary business model isn't technology? Way too many software vendors, consultants and folks from academia. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL

Re: [SC-L] How big is the market?

2007-04-23 Thread McGovern, James F (HTSC, IT)
One thing that I can say is that vendors sometimes are doing themselves a disservice in terms of getting software security to grow even faster. Currently anything that has the word security in it automatically gets redirected to information protection types in large enterprises who usually are

[SC-L] Foundations of Security: What Every Programmer Needs to Know

2007-04-04 Thread McGovern, James F (HTSC, IT)
http://www.bookpool.com/sm/1590597842 Any thoughts positive and negative on this book? * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or

Re: [SC-L] Darkreading: compliance

2007-04-04 Thread McGovern, James F (HTSC, IT)
favor... -Original Message- From: Gary McGraw [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 04, 2007 10:01 AM To: McGovern, James F (HTSC, IT); SC-L@securecoding.org Subject: RE: [SC-L] Darkreading: compliance Hi all, Another big momentum machine for software security (and data

[SC-L] FW: Need Sec Forum speakers-let us know by Wed. if interested

2007-04-04 Thread McGovern, James F (HTSC, IT)
To: McGovern, James F (HTSC, IT) Subject: Need Sec Forum speakers-let us know by Wed. if interested TechForum members: Need speakers for panels-please let us know by Wednesday afternoon Dear Members of Technology Managers

[SC-L] Darkreading: compliance

2007-04-02 Thread McGovern, James F (HTSC, IT)
SoX has done a wonderful job of getting enterprises to embrace the notion of holistic identity and access management which wasn't occuring prior to it. It would be interesting to hear from folks here what other enterprise initiatives do you think that should be on the radar of large

[SC-L] Misc Thoughts

2007-04-02 Thread McGovern, James F (HTSC, IT)
Many folks acknowledge that outsourcing poses additional challenges to enterprises. OWASP has done a wonderful job in terms of creating boilerplate for procuring software, but nothing exists in terms of procuring services. What is the best entity to create standard boilerplate for outsourcing?

[SC-L] Economics of Software Vulnerabilities

2007-03-27 Thread McGovern, James F (HTSC, IT)
May I share another perspective. 1. The debate between open source vs. closed source in terms of security doesn't matter. Does anyone has any metrics that quantify the economics of writing better corporate software not for public consumption? 2. If you can't make the economic case, then you

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-21 Thread McGovern, James F (HTSC, IT)
own exposure... -Original Message- From: Wall, Kevin [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 20, 2007 9:16 PM To: McGovern, James F (HTSC, IT) Cc: sc-l@securecoding.org Subject: RE: [SC-L] Economics of Software Vulnerabilities James McGovern apparently wrote... The uprising from

Re: [SC-L] How is secure coding sold within enterprises?

2007-03-20 Thread McGovern, James F (HTSC, IT)
deck that others who have blazed this path before me have used to sell the notion to their executives. -Original Message- From: Andrew van der Stock [mailto:[EMAIL PROTECTED] Sent: Monday, March 19, 2007 5:06 PM To: McGovern, James F (HTSC, IT) Cc: SC-L Subject: Re: [SC-L] How is secure

[SC-L] Question on User Groups

2007-03-20 Thread McGovern, James F (HTSC, IT)
Quick question for folks here. I participate in multiple user-groups and the topic of secure coding practices has never appeared. What would it take for a software vendor on this list to present to the CT OO Users Group ( www.cooug.org). These events are well attended. Likewise, I am also a

[SC-L] How is secure coding sold within enterprises?

2007-03-19 Thread McGovern, James F (HTSC, IT)
I am attempting to figure out how other Fortune enterprises have went about selling the need for secure coding practices and can't seem to find the answer I seek. Essentially, I have discovered that one of a few scenarios exist (a) the leadership chain was highly technical and intuitively

Re: [SC-L] Information Protection Policies

2007-03-09 Thread McGovern, James F (HTSC, IT)
] [mailto:[EMAIL PROTECTED] Behalf Of McGovern, James F (HTSC, IT) Sent: Thursday, March 08, 2007 11:17 AM To: SC-L@securecoding.org Subject: [SC-L] Information Protection Policies Hopefully lots of the consultants on this list have been wildly successful in getting Fortune enterprises to embrace secure

[SC-L] Information Protection Policies

2007-03-08 Thread McGovern, James F (HTSC, IT)
Hopefully lots of the consultants on this list have been wildly successful in getting Fortune enterprises to embrace secure coding practices. I am curious to learn of those who have also been successful in getting these same Fortune enterprises to incorporate the notion of secure coding

[SC-L] What defines an InfoSec Professional?

2007-03-08 Thread McGovern, James F (HTSC, IT)
If you have two individuals, one of which has been practicing secure coding practices and encouraging others to do so for years while another individual was involved with firewalls, intrusion detection, information security policies and so on, are they both information security professionals or

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread McGovern, James F (HTSC, IT)
A [mailto:[EMAIL PROTECTED] Sent: Thursday, March 08, 2007 2:07 PM To: Gunnar Peterson; McGovern, James F (HTSC, IT) Cc: SC-L@securecoding.org Subject: RE: [SC-L] What defines an InfoSec Professional? The right answer is both IMO. You need the thinkers, integrators, and operators to do it right

[SC-L] Magazines

2007-01-08 Thread McGovern, James F (HTSC, IT)
I learned through the grapevine that folks from Network Computing will be doing an upcoming article and comparison of tools in the secure coding space. If you are a vendor, it would be wise to make sure your marketing folks are participating. The funny thing is that I wouldn't expect it to

Re: [SC-L] Building Security In vs Auditing

2007-01-03 Thread McGovern, James F (HTSC, IT)
: Tuesday, January 02, 2007 1:35 PM To: McGovern, James F (HTSC, IT); sc-l@securecoding.org Subject: RE: [SC-L] Building Security In vs Auditing Hi all, Very good questions. I think a service like the one you describe would be useful mostly as a way of identifying the depth of the problem

Re: [SC-L] Compilers

2007-01-02 Thread McGovern, James F (HTSC, IT)
which invalidates the above. -Original Message- From: Temin, Aaron L. [mailto:[EMAIL PROTECTED] Sent: Thursday, December 21, 2006 1:38 PM To: McGovern, James F (HTSC, IT); Secure Coding Subject: RE: [SC-L] Compilers It would be worth knowing more about the basis you use for drawing

[SC-L] Building Security In vs Auditing

2007-01-02 Thread McGovern, James F (HTSC, IT)
I read a recent press release in which a security vendor (names removed to both protect the innocent along with the fact that it doesn't matter for this discussion ) partnered with a prominent outsourcing firm. The press release was carefully worded but if you read into what wasn't said, it was

RE: [SC-L] RE: Comparing Scanning Tools

2006-06-09 Thread McGovern, James F (HTSC, IT)
-From: Gunnar Peterson [mailto:[EMAIL PROTECTED]Sent: Friday, June 09, 2006 8:48 AMTo: Brian Chess; Secure Mailing List; McGovern, James F (HTSC, IT)Subject: Re: [SC-L] RE: Comparing Scanning ToolsRight, because their customers (are starting to) demand more secure code from

RE: [SC-L] Comparing Scanning Tools

2006-06-08 Thread McGovern, James F (HTSC, IT)
quality. -Original Message- From: Gunnar Peterson [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 9:28 AM To: McGovern, James F (HTSC, IT) Cc: Secure Mailing List Subject: Re: [SC-L] Comparing Scanning Tools Hi James, I think you are right to look at it as economic issue

RE: [SC-L] Comparing Scanning Tools

2006-06-07 Thread McGovern, James F (HTSC, IT)
To: McGovern, James F (HTSC, IT) Cc: sc-l@securecoding.org Subject: Re: [SC-L] Comparing Scanning Tools | Date: Mon, 5 Jun 2006 16:50:17 -0400 | From: McGovern, James F (HTSC, IT) [EMAIL PROTECTED] | To: sc-l@securecoding.org | Subject: [SC-L] Comparing Scanning Tools | | The industry analyst

[SC-L] Comparing Scanning Tools

2006-06-06 Thread McGovern, James F (HTSC, IT)
The industry analyst take on tools tends to be slightly different than software practitioners at times. Curious if anyone has looked at Fortify and has formed any positive / negative / neutral opinions on this tool and others...

[SC-L] Secure Application Protocol Design

2006-06-06 Thread McGovern, James F (HTSC, IT)
Would love to see Gary address a couple of behaviors I have seen in my travel amongst architect types in corporate America especially the practice of secure application protocol design that isn't so secure. Is anyone writing/blogging deeply on this aspect? Likewise, there are many folks in