[SAMM] Upcoming Article
Pravir Chandra
chandra at owasp.org
Sat Feb 13 04:53:08 EST 2010
That's a good question, really. First thought is to immediately jump
to a conversation about risks and unknowns vs. knowns, etc. BUT, I
think based on experience, most are generally WAY more basic than that
when it comes to appsec (at least when they're getting a program off
the ground all the way up until we'd anecdotally say a company "has an
appsec program"). In those stages the questions are more like (roughly
in order, tho some oscillation):
* Is this really a (potential) problem? Usually an easily evinced point.
* Am I doing anything about it right now?
* Is what I'm doing good enough or should I be trying to change things?
* How do we measure any of this madness since I need to manage it?
Dunno if that helps, just my $0.02 while in between flights. Glad to
help further if you want to collaborate on the article.
p.
On 2/12/10, McGovern, James F. (P+C Technology)
<James.McGovern at thehartford.com> wrote:
> I am toying with the notion of writing an article for the insurance
> vertical entitled: The Ten Things You Need to Know about Application
> Security where the audience is not IT-savvy users, but one of insurance
> agents who handle a variety of security concerns ranging from
> personally-identitifable information to credit cards as part of the
> business process.
>
> If you ever watched game shows such as Jeopardy, you would be familiar
> with the fact that the answer is known and the user has to provide the
> question. So, what do folks here think that a business user should be
> asking when it comes to measuring security maturity?
> ************************************************************
> This communication, including attachments, is for the exclusive use of
> addressee and may contain proprietary, confidential and/or privileged
> information. If you are not the intended recipient, any use, copying,
> disclosure, dissemination or distribution is strictly prohibited. If you
> are not the intended recipient, please notify the sender immediately by
> return e-mail, delete this communication and destroy all copies.
> ************************************************************
>
More information about the SAMM
mailing list