[Owasp-leaders] The Rocky Road To More Secure Code

Tom Brennan - OWASP tomb at owasp.org
Thu Apr 9 20:08:13 EDT 2009

(Netcraft) 1M websites running SSL so they are protecting something..., if only 50% were "really important" that's a lot of code... Its also a lot of"levels" of security (loss of life, production, etc) 

This snap shot of course does not count new sites coming online every day.

So approaching the insecure running code issue from a business perspective the business wants to know what is the risk today.  After black box options include accept the risk(waiver), shut off the site or use a compensating control

Issues identified on existing sites in the public facing world today, can then be tied back to improving "process" for future applications developed and deployed including education, source, design, qa and architecture (not in the right order btw)

- Confidentiality
- Integrity
- Availability

- Financial Damage
- Non-compliance
- Privacy violation
- Reputation damage

OWASP has the resources for business/gov that's step #1.  We have some books, studies, tools and both drop in solutions ESAPI/OWASP ModSec Project just to name a few of MANY...

For those with decades of insight, how many times have we witnessed the business politics disrupt a solid CISO/CIO strategy. Its not black and white world... rather "shades of gray" and changing behavior and raising awareness and options is our mission @ owasp, we're doing it - 10 years ago the media did not care.... Nor did business "the rulz have changed". Let's get the 70% of the Top 100 websites to pay attention... as they have hosted malware at one time.

Sometimes I miss RACF and 8-bit Atari's :)

-----Original Message-----
From: "Marco M. Morana" <marco.m.morana at gmail.com>

Date: Thu, 9 Apr 2009 19:25:30 
To: <owasp-leaders at lists.owasp.org>
Subject: [Owasp-leaders] The Rocky Road To More Secure Code

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the OWASP-Leaders mailing list