, IT) [mailto:[EMAIL PROTECTED]
Sent: Mon Apr 02 11:15:49 2007
To: SC-L@securecoding.org
Subject:[SC-L] Darkreading: compliance
SoX has done a wonderful job of getting enterprises to embrace the notion of
holistic identity and access management which wasn't occuring prior
favor...
-Original Message-
From: Gary McGraw [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 04, 2007 10:01 AM
To: McGovern, James F (HTSC, IT); SC-L@securecoding.org
Subject: RE: [SC-L] Darkreading: compliance
Hi all,
Another big momentum machine for software security (and data
For many shops, having another type of firewall could cost
millions whereas putting tools in the hands of developers may
actually be cheaper. We as a community may be better served
by encouraging application firewalls and letting the
financial model for complying work in our favor...
I
On 4/4/07, J. M. Seitz [EMAIL PROTECTED] wrote:
From secure coding practice in development, proper QA cycle and
regression testing, deployment security touchpoints, and finally adding
the
extra layer on the top is putting application layer firewalls in place,
which if we ever have a 0-day style
Gary, may I suggest an alternative response to application firewalls and the
notion that it is hair-brained? Of course this is true but this list is
missing a major opportunity to finally calculate an ROI model. If you ask
yourself, what types of firewalls are pervasively deployed, you
At 9:29 AM -0400 3/30/07, Benjamin Tomhave wrote:
SOX has been a complete waste, imo. First, the majority of it was already
covered in existing law. Second, it really has nothing to do with security
from a practical standpoint. The only purpose SOX has served is to give
auditors another
On Tue, 13 Mar 2007, somebody wrote (attribution isn't clear to me):
no. my feeling is that it focuses management on unimportant things like
meeting checkpoints rather then actually doing useful things.
I heartily agree. Compliance almost always becomes (in the worst sense
of the word) a
/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com.
-Original Message-
From: Bruce Ediger [mailto:[EMAIL PROTECTED]
Sent: Tue Mar 13 12:10:42 2007
To:
Cc: SC-L@securecoding.org
Subject:Re: [SC-L] Darkreading: compliance
On Tue, 13 Mar 2007, somebody
book www.swsec.com.
-Original Message-
From: Bruce Ediger [mailto:[EMAIL PROTECTED]
Sent: Tue Mar 13 12:10:42 2007
To:
Cc: SC-L@securecoding.org
Subject:Re: [SC-L] Darkreading: compliance
On Tue, 13 Mar 2007, somebody wrote (attribution isn't clear to me):
no. my feeling
hi sc-l,
this month's darkreading column is about compliance. my own belief is
that compliance has really helped move software security forward. in
particular, sox and pci have been a boon:
http://www.darkreading.com/document.asp?doc_id=119163
what do you think? have compliance efforts you
Maybe it depends on the vertical? What vertical(s) did you find it a
distraction in?
gem
-Original Message-
From: Michael Silk [mailto:[EMAIL PROTECTED]
Sent: Mon Mar 12 17:34:56 2007
To: Gary McGraw
Cc: SC-L@securecoding.org
Subject:Re: [SC-L] Darkreading
On 3/13/07, Gary McGraw [EMAIL PROTECTED] wrote:
hi sc-l,
this month's darkreading column is about compliance. my own belief is
that compliance has really helped move software security forward. in
particular, sox and pci have been a boon:
what do you think? have compliance efforts you know about helped to
forward software security?
Compliance brings accountability. Without accountability or financial impact
people have
little incentive for putting security on the priority list. I for one welcome
our compliance
overlords.
13 matches
Mail list logo