[Owasp-leaders] WSJ: Software Security

McGovern, James F (HTSC, IT) James.McGovern at thehartford.com
Fri Mar 6 11:46:05 EST 2009


As the enterprisey guy, I am of the belief that guidance needs to be
provided by direct participation of multiple demographics and not just
vendors doing things on behalf of the enterprise. The lot of not a lot
of gritty detail is sometimes done based on attempting to steer a reader
in a particular direction. It should be done such that the answers are
all about engaging in a sales conversation with a consulting firm and
product vendor but to help others learn how to approach a particular
problem space.
 
Since you are interviewing next week, can you ask the following:
 
1. Do you believe that an organization can do BSI without outside
consulting services and leverage products they already have?
2. How should software security roll up into an enterprise architecture
strategy?
3. We can all agree that static analysis is important, but in your
opinion, what security activities within an IT ecosystem are more
important?
4. OWASP creates valuable working software and makes it freely available
but it can't do this for all spaces. Do you think that other security
organizations need to go beyond just awareness and actually deliver
products that others can use in an open manner?
5. Enterprises especially in the financial services space are seeing
their stocks decline to record lows and understand that cash is king.
Likewise, many security tools are easily a million bucks when applied to
enterprise scale. What advice would you provide to them for enabling
security without a whole lot of money.

________________________________

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Thursday, March 05, 2009 1:27 PM
To: owasp-leaders at lists.owasp.org; owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] WSJ: Software Security


> Would be cool if OWASP Bloggers provided their commentary... 

BSI looks VERY high level doc to help a large org "plan a software
security initiative". Stuff like:
 
Ensure host and network security basics are in place. The organization
provides a solid foundation for software by ensuring that host and
network security basics are in place. It is common for operations
security teams to be responsible for duties such as patching operating
systems and maintaining firewalls.
 
Not a lot of gritty detail. 
 
I know that this and http://www.owasp.org/index.php/ASVS  try to solve
different problems, but ASVS seems to scratch the itch much more than
BSI.
 
This is just my initial reaction. I'm interviewing Chess over this next
week and will approach the interview with an open mind.
-- 
Jim Manico, Senior Application Security Engineer
jim.manico at aspectsecurity.com
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security(tm)
Securing your applications at the source
http://www.aspectsecurity.com

________________________________

From: owasp-leaders-bounces at lists.owasp.org on behalf of McGovern, James
F (HTSC, IT)
Sent: Thu 3/5/2009 4:42 AM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] WSJ: Software Security



http://blogs.wsj.com/digits/2009/03/04/new-effort-hopes-to-improve-softw
are-security/
<http://blogs.wsj.com/digits/2009/03/04/new-effort-hopes-to-improve-soft
ware-security/>  

Would be cool if OWASP Bloggers provided their commentary... 

************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If
you are not the intended recipient, please notify the sender immediately
by return e-mail, delete this communication and destroy all copies.
************************************************************
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090306/4b0df019/attachment-0001.html 


More information about the OWASP-Leaders mailing list