Re: [SC-L] Regional differences in software security
I'll preface what I'm going to say with: - I don't work in the financial vertical or government defense, but from conversations with colleagues, I think that they get it (they have to) - My sphere of experience excludes Australia, India, and Japan: - Oz has on average a high skill set of s/w engineers, so I don't see why that would be different for s/w security. - From discussions with friends/ex-employees who are from India, because of such a high turnover in the s/w factories, a coder is given a day's to a week's worth of code to produce at one time, so if they leave then they can be replaced without much loss. This was a few years ago and I don't know the level of s/w security introduced since then, but for sure I highly doubt that developers have any say in what they can write. - Colleagues and friends who live in Japan say that the level of s/w security is just as bad as the rest of Asia, which was surprising to me. I think, though, that in Japan, there is a strong culture of not upstaging the boss so maybe that explains it. So, my sphere of experience extends from Beijing to Jakarta and all points in between... (to paraphrase ZZ Top :-) I would say the level is barely the "beginning of the beginning". There are no compliance laws except for PCI-DSS. There are no breach disclosure laws. There are often huge silos between the security guys and the development team, both organizationally and politically. Quite a few times I've seen the responsibility of software security dumped on the network team with the orders of "make everything secure". And often: (a) the web site was outsourced years ago and the company is no longer in business; (b) the 3rd party software vendor is not going to fix its software or attempt to make it secure in the near future (and there's nothing in the SLA that says they have to; (c) the development team does exist but either change processes take 3 to 6 months to get anything done, or (d) the network manager has to go to political war to get something done. >From all of the above, a magic elixir for a network security team can be a web application firewall. They can drop a box in and they don't need anybody else's permission. This is what happened on a very recent project (I was helping the client prepare for a PCI audit), and because of my Summer of Code OWASP project, Securing WebGoat using ModSecurity, I was able to help their team write custom ModSec rulesets; and from that they learned something about security (of course it should have been the s/w people who learned something about it). And, you don't know how many times I've been approached to do pentests for large corporations' web sites that handle sensitive customer data - and their budget is $6500 to $10,000 USD. Sorry, I'm greedy, but I can't risk my reputation by doing a less than half-assed job. On the bright side, I've had a couple of application pentest projects - the head of the development team was responsible for it (maybe that's the key) - and they went great. The developers & architects didn't know anything about software security, but each manager assembled the entire dev team and network/sys admins for a half day for me to present my findings and educate them on what they needed to do; to explain the origin, the prevention/solution, etc. Those are real fun and it's so cool seeing the looks on people's faces when it clicks and they get it. Stephen On Wed, Nov 26, 2008 at 10:45 PM, Kenneth Van Wyk <[EMAIL PROTECTED]> wrote: > On Nov 26, 2008, at 9:19 AM, Gary McGraw wrote: >> >> I think this idea of regional differences is worth exploring a bit. In my >> work at cigital I have come to believe that there is a difference in >> approach between the east coast of the US and the west coast. > > I completely agree here. Stephen raises a fascinating point. > > I don't know what I did {right|wrong}, but the vast majority of my clients > are in Europe or Southeast Asia right now. (I'm a dual EU/US citizen, which > perhaps helps.) Apart from all the air miles, I've seen vast differences > that seem--at least on the surface via casual observation--to have a > regional component. Contrasting US East, West, EU, and Asia, there are big > differences in such areas as: > > - Software process. I see more process-heavy dev in US East and Europe, > with far less of it in US West and Asia, for instance. > > - Security teams. I see a pretty solid line between IT security and > software dev teams in US East and Asia, with lines being more blurred in US > West and EU. This seems to be central to Stephen's point, if I understand > correctly. And it's a good point to consider. > > - Security testing. ... > > The list goes on. Unfortunately, all I have are casual observations, but > the "climate differences" seem palpable to me. > > Cheers, > > Ken > > - > Kenneth R. van Wyk > KRvW Associates, LLC > http://www.KRvW.com > > > > > > > ___ > Secure Coding mailing
Re: [SC-L] Regional differences in software security
On Nov 26, 2008, at 9:19 AM, Gary McGraw wrote: I think this idea of regional differences is worth exploring a bit. In my work at cigital I have come to believe that there is a difference in approach between the east coast of the US and the west coast. I completely agree here. Stephen raises a fascinating point. I don't know what I did {right|wrong}, but the vast majority of my clients are in Europe or Southeast Asia right now. (I'm a dual EU/US citizen, which perhaps helps.) Apart from all the air miles, I've seen vast differences that seem--at least on the surface via casual observation--to have a regional component. Contrasting US East, West, EU, and Asia, there are big differences in such areas as: - Software process. I see more process-heavy dev in US East and Europe, with far less of it in US West and Asia, for instance. - Security teams. I see a pretty solid line between IT security and software dev teams in US East and Asia, with lines being more blurred in US West and EU. This seems to be central to Stephen's point, if I understand correctly. And it's a good point to consider. - Security testing. ... The list goes on. Unfortunately, all I have are casual observations, but the "climate differences" seem palpable to me. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Regional differences in software security
Hi Stephen (et al), I think this idea of regional differences is worth exploring a bit. In my work at cigital I have come to believe that there is a difference in approach between the east coast of the US and the west coast. The east coast led by financial services firms in NY and Boston has moved well past the "bug parade" and "penetration testing" to a more strategic approach to the problem. These firms approach software security as a people, process, technology problem that involves cultural change. They have made some impressive progress (about which more in late December). It's true that regulation plays a big role in moving the general approach forward, starting with SOX up through the FFIEC and OCC guidance. By contrast, many (but not all) ISVs on the west coast are still relying on penetration testing to check the software security box. That's because the prevailing attitude out west seems to be something like "software security is important, but our code is WAY better than that example code you're waving around." Pen testing may be a necessity to disavow people of this belief. Incidentally, the west coast approach is currently much more about code, code, code and less about business risk, training, architecture, white box testing and the like. That said, the west coast approach seems to be tracking the east coast with a lag of 12-18 months. So all told this is good news for the field. Just so you know, I am aware of 22 large scale programs underway, 9 of which we're closely studying in the Maturity Model effort. I am interested to hear your impressions of AsiaPAC and software security. Thanks for cluing us in. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 11/26/08 3:05 AM, "Stephen Craig Evans" <[EMAIL PROTECTED]> wrote: Hi Gunnar, I apologize to everybody if I have come across as being harsh. >From my 8 years of experience of living in Asia and being actively involved as a developer and working with developers (at Microsoft as its first .NET Regional Developer Evangelist in 2001 to recently at Symantec as the first Secure Application Services consultant for APAC), IMO there's a big gap between the maturity of software security here vs. Europe vs. West Coast USA vs. East Coast USA. The culture is different and even in the situation that a software developer cared and wanted to implement software security, in many countries they could get in a lot of trouble for upstaging their boss and making him or her "lose face". The responsibility of secure software is not at the developer level in most cases, which is why I've spoken at regional IASA events (www.iasahome.org), with overwhelming positive responses, and will continue to try to reach the decision makers (as an OWASP representative) because trying to engage developers directly at this point in time at the maturity level of software security in APAC is not the most effective way to go about it. I'm sure, though, that at financial institutions they get it, but almost all of my clients are government and media/communications companies. Also, sorry to everybody for taking this thread off-topic. Stephen On Wed, Nov 26, 2008 at 2:24 AM, Gunnar Peterson <[EMAIL PROTECTED]> wrote: > stephen > > i spend at least half my time working directly with developers. > > for some reason i have not communicated as well as i should to you, what i > am saying is that the job is too hard for developers *because* the security > industry has let them down by sending them on a fool's errand of least > privilege. > > the problem or target in your words IS with security people NOT developers. > they have other problems just not an endless quixotic quest for least > privilege. i am not repeat not throwing developers under the bus in this > argument. > > i am ready, willing and possibly able to be proven wrong on this point and > maybe there is a cost effective way to deploy least privilege in the real > world just want to make sure that i communicate my argument. > > -gunnar > (who is now letting go) > > On Nov 25, 2008, at 12:07 PM, Stephen Craig Evans wrote: > >> I can't let this go. >> >> Gary, you are self-professed working with financial institutions and >> high-end customers. >> >> Gunnar, you are the same, at least what I gather from your Silver >> Bullet podcast when talking about the difference between SOA (top >> down) and Web 2.0 (bottom up). >> >> No flame war intended, but a healthy discussion should be in order. >> >> So please don't talk about "developers" as targets. They/we are the >> lowest on the totem pole. Direct your arrows at the people that you >> deal with. Plain and simple. >> >> Cheers, >> Stephen >> >> On Wed, Nov 26, 2008 at 1:48 AM, Gunnar Peterson <[EMAIL PROTECTED]> >> wrote: >>> >>> look, i am a consultant. i work in lots of different companies. lots of >>> different projects. i don't see these distinctions in black an