Re: [SC-L] PCI: Boon or bust for software security?

2008-03-04 Thread Andy Murren
Overall I concur with Bruce on this. PCI has too broad of a constituent base to cover to be truly effective. Some fixes were added after the TJX breach, but look at how much TJX paid versus how much the laid aside to pay. I am betting that the TJX lawyers produced documents showing that they

[SC-L] Secure development after release

2008-03-04 Thread Andy Murren
Once an application is released or put into production, what are organizations doing to keep the applications secure? As new vulnerabilities and classes of exploits are released, how is that information being fed back to developers so they can update/patch in the software. At the network most

[SC-L] implementable process level secure development thoughts

2008-03-11 Thread Andy Murren
I have been working on developing a series of documents to turn the ideas encompassed on this list and in what I can find in books articles. I am not finding, and it may just be I am looking in the wrong places, for any information on how people are actually implementing the concepts. I have

Re: [SC-L] implementable process level secure development thoughts

2008-03-11 Thread Andy Murren
Roman, My starting point is sort of simple, how to weave secure development into the basic SDLC. I am assuming that regardless of what you call the steps most folks use a multi step process. Working with a 5 step process (Plan, Design, Develop, Test, Deploy) what is added to each of those

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Andy Murren
Personally I think secure coding should be included in the entire curriculum irrespective of the level. People learn habits early on that they tend to carry for as long as they are programmers. How many programmers that learned the KR style of indentation for example continue to use it as their