according to different business unit leadership: I would think that
> this would be a real challenge for the CISO. This also reflects my
> own experience on the delivery side.
>
> In summary, SSG provides down-the-earth facts and figures helping
> management making risk balance instead of leav
Hi ben,
I would be very much interested in Steve Lipner's opinion here, because Steve
ran the IR program at Microsoft a decade ago before he was recruited to lead
the SSG. Steve, if you would, please take a look at this thread and let us
know what your thinking is RE integrating an IR group an
Hi Gary,
I've worked with organizations that have taken a similar approach with
incident response management. You have a core IR team (within the
security dept) and then you designate IR contacts within specific ops
teams. This approach seems to work ok, but coordination gets to be
problematic, ca
ocal radio station ad goes.
Best,
Mike B.
-Original Message-
From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On
Behalf Of Gary McGraw
Sent: Tuesday, December 22, 2009 12:09 PM
To: list-s...@secureconsulting.net; Secure Code Mailing List
Subject: Re: [SC-L] Inf
hi ben,
You may be right. We have observed that the longer an initiative is underway
(we have one in the study that checks in at 14 years old), the more actual
activity tends to get pushed out to dev. You may recall from the BSIMM that we
call this the satellite. Microsoft has an extensive s
I think the short-term assertion is sound (setup a group to make a push
in training, awareness, and integration with SOP), but I'm not convinced
the long-term assertion (that is, maintaining the group past the initial
push) is in fact meritorious. I think there's a danger in setting up
dedicated se
hi bret and mike,
While you guys are certainly entitled to your opinion, I think it is important
to acknowledge facts when you state an argument. Please take a few minutes to
read the article I posted on SSG's (this "committee" language you're both using
is very humorous BTW...thanks for the l
Mike Boberski wrote:
> A toolkit example that comes to mind, to keep this email short: the
> highly-matrixed environment (and actually also the smaller environment, now
> that I think about it) where developers fly on and off projects.
I don't quite grok what you're saying here. The syntax look
At 08:01 AM 22/12/2009, Mike Boberski wrote:
Hi Gary.
To play devil's advocate:
Current organizational practices aside, I would say that
organizations really need more and better toolkits and standards for
developers to use, than they need more and better committees.
I'd have to agree - whi
that don’t fit
> the norm.
>
>
>
> Dave
>
>
>
> *From:* Mike Boberski [mailto:mike.bober...@gmail.com]
> *Sent:* Monday, December 21, 2009 5:22 PM
> *To:* Gary McGraw
> *Cc:* David Ladd; SC-L@securecoding.org; dustin.sulli...@informit.com
>
>
> *Sub
Ladd; SC-L@securecoding.org; dustin.sulli...@informit.com
>
> *Subject:* Re: [SC-L] InformIT: You need an SSG
>
>
>
> I dunno, the concept of "SSG" seems overly broad to me. Looking at security
> libraries as a feature or a module eliminates the us vs. them paradox.
> Adding
e Mailing List ; Dustin Sullivan
> *Sent*: Mon Dec 21 19:01:37 2009
> *Subject*: Re: [SC-L] InformIT: You need an SSG
> Hi Gary.
>
> To play devil's advocate:
>
> Current organizational practices aside, I would say that organizations
> really need more and better toolk
Hi Gary.
To play devil's advocate:
Current organizational practices aside, I would say that organizations
really need more and better toolkits and standards for developers to use,
than they need more and better committees.
A toolkit example that comes to mind, to keep this email short: the
highl
13 matches
Mail list logo
