[Global_education_committee] Fwd: [Owasp-leaders] Question on ISACA

kuai hinojosa kuai.hinojosa at owasp.org
Thu Nov 5 10:00:34 EST 2009


Nice, Yat-il une version anglaise?

On Nov 5, 2009, at 9:37 AM, Sebastien Gioria wrote:

> Yep
>
> I'm one of the author with Ludovic
>
> A new one is on the pipe (more technical)
>
>
> 2009/11/5 kuai hinojosa <kuai.hinojosa at owasp.org>
> You guys seen this document?
>
> Kuai Hinojosa
>
> Begin forwarded message:
>
>> From: ludovic petit <ludovic.petit at owasp.org>
>> Date: November 5, 2009 4:59:50 AM EST
>> To: owasp-leaders at lists.owasp.org
>> Subject: Re: [Owasp-leaders] Question on ISACA
>> Reply-To: owasp-leaders at lists.owasp.org
>>
>> Futher to what James' said, "one of the observations is that IT  
>> auditors have zero clue as to how to audit a secure coding  
>> practice", my view is that in such a case, IT auditors involved in  
>> such an audit must have a coding background for a quite simple  
>> reason: how can they expect to understand a coding practice  
>> approach, specially a secure one, if they do not have any clue of  
>> the necessary context of synthesys to do so?
>> So in that sense, evidence of developer training might be a good  
>> start.
>> However, we need to help auditors AND managers understand the non- 
>> technical things, and I think that this could be possible through a  
>> document explaining why a secure coding practice is needed and if  
>> not done, what are the real impacts (technical, but more  
>> important... business-related, legal) for a company and its  
>> Executives as well.
>> We (Owasp France staff) have created a document in France for  
>> Managers, explaining (from a high level approach) why it's  
>> important to secure WebApps... with a focus about Legal and the  
>> OWASP Secure Software Contract Annex. (http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf 
>> )
>>
>>
>> -- 
>> Ludovic Petit
>> OWASP France Chapter Leader
>> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org 
>> ] On Behalf Of McGovern, James F. (eBusiness)
>> Sent: Wednesday, November 04, 2009 4:38 PM
>> To: owasp-leaders at lists.owasp.org; sc-l at securecoding.org
>> Subject: [Owasp-leaders] Question on ISACA
>>
>> John Morency of Gartner just finished giving a presentation to our  
>> IT executives and one of the observations is that IT auditors have  
>> zero clue as to how to audit a secure coding practice. IT audit  
>> right now is limited to simply looking at "control" documents and  
>> viewing things through the lens of "infrastructure". Is there  
>> something we as a community should be doing to make auditors smarter?
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> Global_education_committee mailing list
> Global_education_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_education_committee
>
>
>
>
> -- 
> French Chapter Leader
> GSM: +33 6 23 04 00 51
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_education_committee/attachments/20091105/284f6123/attachment-0001.html 


More information about the Global_education_committee mailing list