[Global_education_committee] Fwd: [Owasp-leaders] Question on ISACA

kuai hinojosa kuai.hinojosa at owasp.org
Thu Nov 5 09:03:02 EST 2009


You guys seen this document?

Kuai Hinojosa

Begin forwarded message:

> From: ludovic petit <ludovic.petit at owasp.org>
> Date: November 5, 2009 4:59:50 AM EST
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] Question on ISACA
> Reply-To: owasp-leaders at lists.owasp.org
>

> Futher to what James' said, "one of the observations is that IT  
> auditors have zero clue as to how to audit a secure coding  
> practice", my view is that in such a case, IT auditors involved in  
> such an audit must have a coding background for a quite simple  
> reason: how can they expect to understand a coding practice  
> approach, specially a secure one, if they do not have any clue of  
> the necessary context of synthesys to do so?
> So in that sense, evidence of developer training might be a good  
> start.
> However, we need to help auditors AND managers understand the non- 
> technical things, and I think that this could be possible through a  
> document explaining why a secure coding practice is needed and if  
> not done, what are the real impacts (technical, but more  
> important... business-related, legal) for a company and its  
> Executives as well.
> We (Owasp France staff) have created a document in France for  
> Managers, explaining (from a high level approach) why it's important  
> to secure WebApps... with a focus about Legal and the OWASP Secure  
> Software Contract Annex. (http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf 
> )
>
>
> -- 
> Ludovic Petit
> OWASP France Chapter Leader
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders- 
> bounces at lists.owasp.org] On Behalf Of McGovern, James F. (eBusiness)
> Sent: Wednesday, November 04, 2009 4:38 PM
> To: owasp-leaders at lists.owasp.org; sc-l at securecoding.org
> Subject: [Owasp-leaders] Question on ISACA
>
> John Morency of Gartner just finished giving a presentation to our  
> IT executives and one of the observations is that IT auditors have  
> zero clue as to how to audit a secure coding practice. IT audit  
> right now is limited to simply looking at "control" documents and  
> viewing things through the lens of "infrastructure". Is there  
> something we as a community should be doing to make auditors smarter?
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_education_committee/attachments/20091105/3b99cba3/attachment.html 


More information about the Global_education_committee mailing list