[Global_education_committee] Fwd: [Owasp-leaders] Question on ISACA

Sebastien Gioria sebastien.gioria at owasp.org
Thu Nov 5 09:37:47 EST 2009


I'm one of the author with Ludovic

A new one is on the pipe (more technical)

2009/11/5 kuai hinojosa <kuai.hinojosa at owasp.org>

> You guys seen this document?
> Kuai Hinojosa
> Begin forwarded message:
> *From:* ludovic petit <ludovic.petit at owasp.org>
> *Date:* November 5, 2009 4:59:50 AM EST
> *To:* <owasp-leaders at lists.owasp.org>owasp-leaders at lists.owasp.org
> *Subject:* *Re: [Owasp-leaders] Question on ISACA*
> *Reply-To:* <owasp-leaders at lists.owasp.org>owasp-leaders at lists.owasp.org
> Futher to what James' said, *"one of the observations is that IT auditors
> have zero clue as to how to audit a secure coding practice"*, my view is
> that in such a case, IT auditors involved in such an audit must have a
> coding background for a quite simple reason: how can they expect to
> understand a coding practice approach, specially a secure one, if they do
> not have any clue of the necessary context of synthesys to do so?
> So in that sense, evidence of developer training might be a good start.
> However, we need to help auditors AND managers understand the non-technical
> things, and I think that this could be possible through a document
> explaining why a secure coding practice is needed and if not done, what are
> the real impacts (technical, but more important... business-related, legal)
> for a company and its Executives as well.
>  We (Owasp France staff) have created a document in France for Managers,
> explaining (from a high level approach) why it's important to secure
> WebApps... with a focus about Legal and the OWASP Secure Software Contract
> Annex. (<http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf>
> http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf
> )
> --
> Ludovic Petit
> OWASP France Chapter Leader
>  ------------------------------
> *From:* <owasp-leaders-bounces at lists.owasp.org>
> owasp-leaders-bounces at lists.owasp.org [mailto:<owasp-leaders-bounces at lists.owasp.org>
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *McGovern, James F.
> (eBusiness)
> *Sent:* Wednesday, November 04, 2009 4:38 PM
> *To:* <owasp-leaders at lists.owasp.org>owasp-leaders at lists.owasp.org;
> <sc-l at securecoding.org>sc-l at securecoding.org
> *Subject:* [Owasp-leaders] Question on ISACA
>  John Morency of Gartner just finished giving a presentation to our IT
> executives and one of the observations is that IT auditors have zero clue as
> to how to audit a secure coding practice. IT audit right now is limited to
> simply looking at "control" documents and viewing things through the lens of
> "infrastructure". Is there something we as a community should be doing to
> make auditors smarter?
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> Global_education_committee mailing list
> Global_education_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_education_committee

French Chapter Leader
GSM: +33 6 23 04 00 51
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_education_committee/attachments/20091105/fb5f2df4/attachment.html 

More information about the Global_education_committee mailing list