[Owasp-leaders] Question on ISACA

Eoin eoin.keary at owasp.org
Wed Nov 4 11:07:04 EST 2009


Re understanding what secure codeing is:

Taking a look at the OWASP development guides and Code review guide is a
start: The intro sections cover what a secure SDLC whould look like etc.
Looking at SAMM can indicate what is required also by examining the domains
and mapping onto the SDLC

Re auditing: (it's not just secure coding, its the whole kahuna)

 Evidence of developer training is a good start

Evidence Secure coding guidelines are nice to see, event better if they have
a review history (looked used!).
A generic secure application development policy could be used which can be
linked to technolofy specific guidelines

Evidence of review and adherence to them.

Evidence of negative testing, negative use cases anti patterns & threat
modeling

but there is more.......









2009/11/4 McGovern, James F. (eBusiness) <James.McGovern at thehartford.com>

>  John Morency of Gartner just finished giving a presentation to our IT
> executives and one of the observations is that IT auditors have zero clue as
> to how to audit a secure coding practice. IT audit right now is limited to
> simply looking at "control" documents and viewing things through the lens of
> "infrastructure". Is there something we as a community should be doing to
> make auditors smarter?
>
> ************************************************************
> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
> ************************************************************
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Eoin Keary

OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091104/aee765a9/attachment.html 


More information about the OWASP-Leaders mailing list