[Global_education_committee] Fwd: [Owasp-leaders] Question on ISACA

Sebastien Gioria sebastien.gioria at owasp.org
Thu Nov 5 10:42:17 EST 2009


no :-(

2009/11/5 kuai hinojosa <kuai.hinojosa at owasp.org>

> Nice, Yat-il une version anglaise?
>
> On Nov 5, 2009, at 9:37 AM, Sebastien Gioria wrote:
>
> Yep
>
> I'm one of the author with Ludovic
>
> A new one is on the pipe (more technical)
>
>
> 2009/11/5 kuai hinojosa <kuai.hinojosa at owasp.org>
>
>> You guys seen this document?
>>
>> Kuai Hinojosa
>>
>> Begin forwarded message:
>>
>> *From:* ludovic petit <ludovic.petit at owasp.org>
>> *Date:* November 5, 2009 4:59:50 AM EST
>> *To:* <owasp-leaders at lists.owasp.org>owasp-leaders at lists.owasp.org
>> *Subject:* *Re: [Owasp-leaders] Question on ISACA*
>> *Reply-To:* <owasp-leaders at lists.owasp.org>owasp-leaders at lists.owasp.org
>>
>> Futher to what James' said, *"one of the observations is that IT auditors
>> have zero clue as to how to audit a secure coding practice"*, my view is
>> that in such a case, IT auditors involved in such an audit must have a
>> coding background for a quite simple reason: how can they expect to
>> understand a coding practice approach, specially a secure one, if they do
>> not have any clue of the necessary context of synthesys to do so?
>> So in that sense, evidence of developer training might be a good start.
>> However, we need to help auditors AND managers understand the
>> non-technical things, and I think that this could be possible through a
>> document explaining why a secure coding practice is needed and if not done,
>> what are the real impacts (technical, but more
>> important... business-related, legal) for a company and its Executives as
>> well.
>>  We (Owasp France staff) have created a document in France for Managers,
>> explaining (from a high level approach) why it's important to secure
>> WebApps... with a focus about Legal and the OWASP Secure Software Contract
>> Annex. (<http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf>
>> http://www.clusif.fr/fr/production/ouvrages/pdf/CLUSIF-2009-Securite-des-applications-Web.pdf
>> )
>>
>>
>> --
>> Ludovic Petit
>> OWASP France Chapter Leader
>>  ------------------------------
>> *From:* <owasp-leaders-bounces at lists.owasp.org>
>> owasp-leaders-bounces at lists.owasp.org [mailto:<owasp-leaders-bounces at lists.owasp.org>
>> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *McGovern, James F.
>> (eBusiness)
>> *Sent:* Wednesday, November 04, 2009 4:38 PM
>> *To:* <owasp-leaders at lists.owasp.org>owasp-leaders at lists.owasp.org;
>> <sc-l at securecoding.org>sc-l at securecoding.org
>> *Subject:* [Owasp-leaders] Question on ISACA
>>
>> John Morency of Gartner just finished giving a presentation to our IT
>> executives and one of the observations is that IT auditors have zero clue as
>> to how to audit a secure coding practice. IT audit right now is limited to
>> simply looking at "control" documents and viewing things through the lens of
>> "infrastructure". Is there something we as a community should be doing to
>> make auditors smarter?
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> Global_education_committee mailing list
>> Global_education_committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global_education_committee
>>
>>
>
>
> --
> French Chapter Leader
> GSM: +33 6 23 04 00 51
>
>
>


-- 
French Chapter Leader
GSM: +33 6 23 04 00 51
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_education_committee/attachments/20091105/e6ef4117/attachment.html 


More information about the Global_education_committee mailing list