[Owasp-leaders] The Rocky Road To More Secure Code

Marco M. Morana marco.m.morana at gmail.com
Fri Apr 10 07:41:01 EDT 2009


Cannot wait to read the survey sponsored by Forrester and Veracode mentioned 
in the article. In general I like Kelly's article because puts software 
security initiatives in the right perspective and try to answer the right 
questions such as what is the real state of software security initiatives in 
the software industry. In my opinion, based upon my professional experience, 
I feel they are "spot on" for the data mentioned coming from this survey : 
"45% interest vs. 18% keep same funding in application security," in Italian 
we "say predicare bene and razzolare male", preach well but do nothing. The 
reality is that we have few companies that can execute application security 
from the top (CISO) down, maybe these are the 7+2?mentioned in the BSIMM 
survery. One for sure is Microsoft that actually did started this back in 
2000 with the famous Bill gates memo. Now (2009) we have maybe 25 major 
software security initiatives mentioned by Gary McGraw in the BSIMM 
introduction and probably several small ones. From the "bottom up" 
perspective I think that OWASP projects and guides have done more for both 
large and small organizations. It will be nice to have a survey on how many 
organizations OWASP helped indirectly to drive software security from the 
bottom up such as from software developers, testers, software security 
consultants/ practitioners, architects and information security officers.

Marco
----- Original Message ----- 
From: <aj.dexter at gmail.com>
To: <tomb at owasp.org>; <owasp-leaders at lists.owasp.org>
Sent: Thursday, April 09, 2009 8:17 PM
Subject: Re: [Owasp-leaders] The Rocky Road To More Secure Code


> Tom,
>
> Agree  with all points. Except to RACF. I'm still lucky enough to be in an 
> environment using it, and its not as cool as it might seem.
>
> AJ Dexter
> Portland Chapter
>
> -----Original Message-----
> From: "Tom Brennan - OWASP" <tomb at owasp.org>
>
> Date: Fri, 10 Apr 2009 00:08:13
> To: Owasp-Leaders at Lists.Owasp<owasp-leaders at lists.owasp.org>
> Subject: Re: [Owasp-leaders] The Rocky Road To More Secure Code
>
>
>
> (Netcraft) 1M websites running SSL so they are protecting something..., if 
> only 50% were "really important" that's a lot of code... Its also a lot 
> of"levels" of security (loss of life, production, etc)
>
> This snap shot of course does not count new sites coming online every day.
>
> So approaching the insecure running code issue from a business perspective 
> the business wants to know what is the risk today.  After black box 
> options include accept the risk(waiver), shut off the site or use a 
> compensating control
>
> Issues identified on existing sites in the public facing world today, can 
> then be tied back to improving "process" for future applications developed 
> and deployed including education, source, design, qa and architecture (not 
> in the right order btw)
>
> Technical
> - Confidentiality
> - Integrity
> - Availability
>
> Business
> - Financial Damage
> - Non-compliance
> - Privacy violation
> - Reputation damage
>
> OWASP has the resources for business/gov that's step #1.  We have some 
> books, studies, tools and both drop in solutions ESAPI/OWASP ModSec 
> Project just to name a few of MANY...
>
> For those with decades of insight, how many times have we witnessed the 
> business politics disrupt a solid CISO/CIO strategy. Its not black and 
> white world... rather "shades of gray" and changing behavior and raising 
> awareness and options is our mission @ owasp, we're doing it - 10 years 
> ago the media did not care.... Nor did business "the rulz have changed". 
> Let's get the 70% of the Top 100 websites to pay attention... as they have 
> hosted malware at one time.
>
> Sometimes I miss RACF and 8-bit Atari's :)
>
>
>
>
> -----Original Message-----
> From: "Marco M. Morana" <marco.m.morana at gmail.com>
>
> Date: Thu, 9 Apr 2009 19:25:30
> To: <owasp-leaders at lists.owasp.org>
> Subject: [Owasp-leaders] The Rocky Road To More Secure Code
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders 



More information about the OWASP-Leaders mailing list