Re: [SC-L] Regional differences in software security

2008-11-27 Thread Stephen Craig Evans
I'll preface what I'm going to say with:

- I don't work in the financial vertical or government defense, but
from conversations with colleagues, I think that they get it (they
have to)

- My sphere of experience excludes Australia, India, and Japan:
  - Oz has on average a high skill set of s/w engineers, so I don't
see why that would be different for s/w security.
  - From discussions with friends/ex-employees who are from India,
because of such a high turnover in the s/w factories, a coder is given
a day's to a week's worth of code to produce at one time, so if they
leave then they can be replaced without much loss. This was a few
years ago and I don't know the level of s/w security introduced since
then, but for sure I highly doubt that developers have any say in what
they can write.
  - Colleagues and friends who live in Japan say that the level of s/w
security is just as bad as the rest of Asia, which was surprising to
me. I think, though, that in Japan, there is a strong culture of not
upstaging the boss so maybe that explains it.

So, my sphere of experience extends from Beijing to Jakarta and all
points in between... (to paraphrase ZZ Top :-)

I would say the level is barely the beginning of the beginning.
There are no compliance laws except for PCI-DSS. There are no breach
disclosure laws.

There are often huge silos between the security guys and the
development team, both organizationally and politically. Quite a few
times I've seen the responsibility of software security dumped on the
network team with the orders of make everything secure. And often:
(a) the web site was outsourced years ago and the company is no longer
in business; (b) the 3rd party software vendor is not going to fix its
software or attempt to make it secure in the near future (and there's
nothing in the SLA that says they have to; (c) the development team
does exist but either change processes take 3 to 6 months to get
anything done, or (d) the network manager has to go to political war
to get something done.

From all of the above, a magic elixir for a network security team can
be a web application firewall. They can drop a box in and they don't
need anybody else's permission. This is what happened on a very recent
project (I was helping the client prepare for a PCI audit), and
because of my Summer of Code OWASP project, Securing WebGoat using
ModSecurity, I was able to help their team write custom ModSec
rulesets; and from that they learned something about security (of
course it should have been the s/w people who learned something about

And, you don't know how many times I've been approached to do pentests
for large corporations' web sites that handle sensitive customer data
- and their budget is $6500 to $10,000 USD. Sorry, I'm greedy, but I
can't risk my reputation by doing a less than half-assed job.

On the bright side, I've had a couple of application pentest projects
- the head of the development team was responsible for it (maybe
that's the key) - and they went great. The developers  architects
didn't know anything about software security, but each manager
assembled the entire dev team and network/sys admins for a half day
for me to present my findings and educate them on what they needed to
do; to explain the origin, the prevention/solution, etc. Those are
real fun and it's so cool seeing the looks on people's faces when it
clicks and they get it.


On Wed, Nov 26, 2008 at 10:45 PM, Kenneth Van Wyk [EMAIL PROTECTED] wrote:
 On Nov 26, 2008, at 9:19 AM, Gary McGraw wrote:

 I think this idea of regional differences is worth exploring a bit.  In my
 work at cigital I have come to believe that there is a difference in
 approach between the east coast of the US and the west coast.

 I completely agree here.  Stephen raises a fascinating point.

 I don't know what I did {right|wrong}, but the vast majority of my clients
 are in Europe or Southeast Asia right now.  (I'm a dual EU/US citizen, which
 perhaps helps.)  Apart from all the air miles, I've seen vast differences
 that seem--at least on the surface via casual observation--to have a
 regional component.  Contrasting US East, West, EU, and Asia, there are big
 differences in such areas as:

 - Software process.  I see more process-heavy dev in US East and Europe,
 with far less of it in US West and Asia, for instance.

 - Security teams.  I see a pretty solid line between IT security and
 software dev teams in US East and Asia, with lines being more blurred in US
 West and EU.  This seems to be central to Stephen's point, if I understand
 correctly.  And it's a good point to consider.

 - Security testing.  ...

 The list goes on.  Unfortunately, all I have are casual observations, but
 the climate differences seem palpable to me.



 Kenneth R. van Wyk
 KRvW Associates, LLC

 Secure Coding mailing list (SC-L)
 List information, 

[SC-L] Regional differences in software security

2008-11-26 Thread Gary McGraw
Hi Stephen (et al),

I think this idea of regional differences is worth exploring a bit.  In my work 
at cigital I have come to believe that there is a difference in approach 
between the east coast of the US and the west coast.  The east coast led by 
financial services firms in NY and Boston has moved well past the bug parade 
and penetration testing to a more strategic approach to the problem.  These 
firms approach software security as a people, process, technology problem that 
involves cultural change.  They have made some impressive progress (about which 
more in late December).  It's true that regulation plays a big role in moving 
the general approach forward, starting with SOX up through the FFIEC and OCC 

By contrast, many (but not all) ISVs on the west coast are still relying on 
penetration testing to check the software security box.  That's because the 
prevailing attitude out west seems to be something like software security is 
important, but our code is WAY better than that example code you're waving 
around.  Pen testing may be a necessity to disavow people of this belief.   
Incidentally, the west coast approach is currently much more about code, code, 
code and less about business risk, training, architecture, white box testing 
and the like.

That said, the west coast approach seems to be tracking the east coast with a 
lag of 12-18 months.  So all told this is good news for the field.  Just so you 
know, I am aware of 22 large scale programs underway, 9 of which we're closely 
studying in the Maturity Model effort.

I am interested to hear your impressions of AsiaPAC and software security.  
Thanks for cluing us in.



On 11/26/08 3:05 AM, Stephen Craig Evans [EMAIL PROTECTED] wrote:

Hi Gunnar,

I apologize to everybody if I have come across as being harsh.

From my 8 years of experience of living in Asia and being actively
involved as a developer and working with developers (at Microsoft as
its first .NET Regional Developer Evangelist in 2001 to recently at
Symantec as the first Secure Application Services consultant for
APAC), IMO there's a big gap between the maturity of software security
here vs. Europe vs. West Coast USA vs. East Coast USA.

The culture is different and even in the situation that a software
developer cared and wanted to implement software security, in many
countries they could get in a lot of trouble for upstaging their boss
and making him or her lose face.

The responsibility of secure software is not at the developer level in
most cases, which is why I've spoken at regional IASA events
(, with overwhelming positive responses, and will
continue to try to reach the decision makers (as an OWASP
representative) because trying to engage developers directly at this
point in time at the maturity level of software security in APAC is
not the most effective way to go about it. I'm sure, though, that at
financial institutions they get it, but almost all of my clients are
government and media/communications companies.

Also, sorry to everybody for taking this thread off-topic.


On Wed, Nov 26, 2008 at 2:24 AM, Gunnar Peterson [EMAIL PROTECTED] wrote:

 i spend at least half my time working directly with developers.

 for some reason i have not communicated as well as i should to you, what i
 am saying is that the job is too hard for developers *because* the security
 industry has let them down by sending them on a fool's errand of least

 the problem or target in your words IS with security people NOT developers.
 they have other problems just not an endless quixotic quest for least
 privilege. i am not repeat not throwing developers under the bus in this

 i am ready, willing and possibly able to be proven wrong on this point and
 maybe there is a cost effective way to deploy least privilege in the real
 world just want to make sure that i communicate my argument.

 (who is now letting go)

 On Nov 25, 2008, at 12:07 PM, Stephen Craig Evans wrote:

 I can't let this go.

 Gary, you are self-professed working with financial institutions and
 high-end customers.

 Gunnar, you are the same, at least what I gather from your Silver
 Bullet podcast when talking about the difference between SOA (top
 down) and Web 2.0 (bottom up).

 No flame war intended, but a healthy discussion should be in order.

 So please don't talk about developers as targets. They/we are the
 lowest on the totem pole. Direct your arrows at the people that you
 deal with. Plain and simple.


 On Wed, Nov 26, 2008 at 1:48 AM, Gunnar Peterson [EMAIL PROTECTED]

 look, i am a consultant. i work in lots of different companies. lots of
 different projects. i don't see these distinctions in black and white.
 sometimes the cto and managers are best positioned to help companies