Re: [SC-L] InformIT: You need an SSG

2010-01-13 Thread Benjamin Tomhave
[mailto:alain.desau...@swift.com] Sent: Monday, January 04, 2010 7:23 AM To: Gary McGraw; Secure Code Mailing List; Steve Lipner Cc: list-s...@secureconsulting.net; David Ladd Subject: RE: [SC-L] InformIT: You need an SSG [now posted on sc-l] I agree that in an ideal world, security would

Re: [SC-L] InformIT: You need an SSG

2009-12-23 Thread Gary McGraw
Hi ben, I would be very much interested in Steve Lipner's opinion here, because Steve ran the IR program at Microsoft a decade ago before he was recruited to lead the SSG. Steve, if you would, please take a look at this thread and let us know what your thinking is RE integrating an IR group

Re: [SC-L] InformIT: You need an SSG

2009-12-22 Thread Bret Watson
At 08:01 AM 22/12/2009, Mike Boberski wrote: Hi Gary. To play devil's advocate: Current organizational practices aside, I would say that organizations really need more and better toolkits and standards for developers to use, than they need more and better committees. I'd have to agree -

Re: [SC-L] InformIT: You need an SSG

2009-12-22 Thread Dave Aronson
Mike Boberski mike.bober...@gmail.com wrote: A toolkit example that comes to mind, to keep this email short: the highly-matrixed environment (and actually also the smaller environment, now that I think about it) where developers fly on and off projects. I don't quite grok what you're saying

Re: [SC-L] InformIT: You need an SSG

2009-12-22 Thread Gary McGraw
hi bret and mike, While you guys are certainly entitled to your opinion, I think it is important to acknowledge facts when you state an argument. Please take a few minutes to read the article I posted on SSG's (this committee language you're both using is very humorous BTW...thanks for the

Re: [SC-L] InformIT: You need an SSG

2009-12-22 Thread Benjamin Tomhave
I think the short-term assertion is sound (setup a group to make a push in training, awareness, and integration with SOP), but I'm not convinced the long-term assertion (that is, maintaining the group past the initial push) is in fact meritorious. I think there's a danger in setting up dedicated

Re: [SC-L] InformIT: You need an SSG

2009-12-22 Thread Gary McGraw
hi ben, You may be right. We have observed that the longer an initiative is underway (we have one in the study that checks in at 14 years old), the more actual activity tends to get pushed out to dev. You may recall from the BSIMM that we call this the satellite. Microsoft has an extensive

Re: [SC-L] InformIT: You need an SSG

2009-12-22 Thread Boberski, Michael [USA]
station ad goes. Best, Mike B. -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Gary McGraw Sent: Tuesday, December 22, 2009 12:09 PM To: list-s...@secureconsulting.net; Secure Code Mailing List Subject: Re: [SC-L] InformIT: You

Re: [SC-L] InformIT: You need an SSG

2009-12-21 Thread Mike Boberski
Hi Gary. To play devil's advocate: Current organizational practices aside, I would say that organizations really need more and better toolkits and standards for developers to use, than they need more and better committees. A toolkit example that comes to mind, to keep this email short: the

Re: [SC-L] InformIT: You need an SSG

2009-12-21 Thread Mike Boberski
...@informit.com *Subject:* Re: [SC-L] InformIT: You need an SSG I dunno, the concept of SSG seems overly broad to me. Looking at security libraries as a feature or a module eliminates the us vs. them paradox. Adding a new second security group is just twice as confrontational to the still

Re: [SC-L] InformIT: You need an SSG

2009-12-21 Thread Mike Boberski
; dustin.sulli...@informit.com *Subject:* Re: [SC-L] InformIT: You need an SSG I dunno, the concept of SSG seems overly broad to me. Looking at security libraries as a feature or a module eliminates the us vs. them paradox. Adding a new second security group is just twice as confrontational