[Owasp-leaders] WSJ: Software Security

AF antonio.fontes at gmail.com
Mon Mar 9 05:40:19 EDT 2009

On Sat, Mar 7, 2009 at 12:59 AM, Marco M. Morana
<marco.m.morana at gmail.com> wrote:
> " ...to capture how those 9 companies have done it.."
> I counted: (1) Adobe, (2) EMC, (3) Google, (4) Microsoft, (5) QUALCOMM, (6)
> Wells Fargo, and (7) Depository Trust & Clearing Corporation (DTCC)
> wonder who the other two "incognitos" are.. just curiosity and math :)
> Regards
> Marco Morana


A "little" question:  the companies listed seem to employ hundreds if
not thousands software developers worldwide. If I read well, 90% to
99% of companies in most developed countries employ less than 250
employees (and 60% host less than 3 employees). I can't precisely tell
how important this may apply but I guess an un-negligible percentage
of total LOCs in production around the world is produced by small and
medium-sized companies, if not, independent coders.

I don't have the experience nor credibility to challenge initiatives
such as BSIMM or SAMM. However, I feel like I have now some experience
in driving secure development efforts in a small sized company and I
feel like there is a huge gap between what the tools, methodologies
and other 'standards' recommend and what efforts such small companies
are actually willing (or even financially capable of) to commit into.

I recall James questions:

1. Do you believe that an organization can do BSI without outside
consulting services and leverage products they already have? -> Can a
small company actually code securely without spending thousands in
consulting services or buying full-blown security vendor products?

2. How should software security roll up into an enterprise
architecture strategy? -> How should a small company absorb secure
development practices? What strategy is efficient? What is the
recommended first step? And the second one?... ? Where does the
Pareto's principle apply? Wouldn't setting up a robust web application
firewall ruleset be the central key of web application security for
SMBs ?

3. We can all agree that static analysis is important, but in your
opinion, what security activities within an IT ecosystem are more
important? -> Yes, we all agree, here mostly. However, as I recall
from some of my last year's customers thoughts: "let's ship and sell
first. we'll improve the product through change management." What can
developers do when security is not the main focus of their management?

4. OWASP creates valuable working software and makes it freely
available but it can't do this for all spaces. Do you think that other
security organizations need to go beyond just awareness and actually
deliver products that others can use in an open manner? -> Yes, more
security organisations need to leverage ease of access to their
knowledge, experience, tools, documents and whatsoever they have
without forcing an interested party into some complex commercial
process. I've heard of some appsec guys or developers who only
evaluate security products, which they can easily get access to,
without having to get in contact with commercials or "tell me your

5. Enterprises especially in the financial services space are seeing
their stocks decline to record lows and understand that cash is king.
Likewise, many security tools are easily a million bucks when applied
to enterprise scale. What advice would you provide to them for
enabling security without a whole lot of money. -> A lot of answers
reside in this question... : )

My question is: did I miss an important step (and could someone
possibly give me some insight on where to find that information) or I
am wrong when I feel like most secure software development initiatives
aim at large companies and are, as for today, still not able to comply
with small businesses priorities? What is being precisely done for
them, by people who have actual long-stand experience in such
environments? What about a "Poor mans' web appsec guide"?

my 2cents...


More information about the OWASP-Leaders mailing list