[Owasp-leaders] Question on ISACA

Jeff Williams jeff.williams at owasp.org
Thu Nov 5 00:19:45 EST 2009


I've worked with a number of auditors over the years and have spoken
regularly at ISACA meetings. My take is that there are a few relevant
standards that auditors are using, like 800-53, DISA STIG, PCI, SOX, HIPAA
etc. But these are so vague when it comes to application security that it's
very difficult for them to know how deep they have to go.

 

I believe we need to help by interpreting these standards for application
security.  When the standard says "authentication" we should say what that
means for different types of applications.  The ASVS does this to a certain
extent, but more guidance for auditors on what they actually need to verify
would be very helpful.

 

Even standards like SOX that are quite vague on application security require
the integrity of financial results. We should interpret SOX by saying that
you can't have financial integrity without trust in the applications.  That
means that you must have certain controls, they must work properly and be
used where needed. It also means you can't have any of the Top 10, etc.

 

I also agree that we need to help them understand the non-technical things
they can check and SAMM is a great guideline there. We can tie that back to
the regulations to make the auditors really notice.

 

--Jeff

 

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Pravir Chandra
Sent: Wednesday, November 04, 2009 9:17 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Question on ISACA

 

For SAMM, each level for each security practice has an 'Objective'
that I tried to write in a way that would allow it to double as a
'Control Statement' in an audit context. So, hopefully, SAMM is fairly
auditor friendly since you could use the deliverables produced by each
of the underlying Activities to demonstrate evidence for meeting the
Control Statement.

Also, Nick Coblentz produced a SAMM interview checklist that includes
a list of 'Assertions' that are being made by answering yes to the
questions on the SAMM assessment worksheets. Those might also be
useful from and audit perspective. For those that haven't seen it, the
link to Nick's interview template is:
 
<http://nickcoblentz.blogspot.com/2009/06/samm-inteview-template-version-10.
html>
http://nickcoblentz.blogspot.com/2009/06/samm-inteview-template-version-10.h
tml

Does that address the goals of audit tie-ins or were folks looking for
something more explicit? There's always opportunities to add it to the
next SAMM version if its useful :)

p.

On Wed, Nov 4, 2009 at 11:15 AM, McGovern, James F. (eBusiness)
<James.McGovern at thehartford.com> wrote:

Eoin, I think your take on SAMM is interesting. I think the difference is
not to look for evidence but to measure against controls. Auditors use the
notion of controls to figure out good vs bad and is less fluid / abstract
that simply seeking evidence. I wonder if Pravir or others that thought
about expanding SAMM to include audit language.

 

  _____  

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Wednesday, November 04, 2009 11:07 AM


To: owasp-leaders at lists.owasp.org
Cc: sc-l at securecoding.org
Subject: Re: [Owasp-leaders] Question on ISACA

 

Re understanding what secure codeing is:

 

Taking a look at the OWASP development guides and Code review guide is a
start: The intro sections cover what a secure SDLC whould look like etc.

Looking at SAMM can indicate what is required also by examining the domains
and mapping onto the SDLC

 

Re auditing: (it's not just secure coding, its the whole kahuna)

 

Evidence of developer training is a good start

 

Evidence Secure coding guidelines are nice to see, event better if they have
a review history (looked used!). 

A generic secure application development policy could be used which can be
linked to technolofy specific guidelines

 

Evidence of review and adherence to them.

 

Evidence of negative testing, negative use cases anti patterns & threat
modeling

 

but there is more.......

 

 

 

 

 

 



 

2009/11/4 McGovern, James F. (eBusiness) <James.McGovern at thehartford.com>

John Morency of Gartner just finished giving a presentation to our IT
executives and one of the observations is that IT auditors have zero clue as
to how to audit a secure coding practice. IT audit right now is limited to
simply looking at "control" documents and viewing things through the lens of
"infrastructure". Is there something we as a community should be doing to
make auditors smarter?

************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
************************************************************


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders




-- 
Eoin Keary

OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)

http://asg.ie/
https://twitter.com/EoinKeary

************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
************************************************************


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091105/e4f7304c/attachment-0001.html 


More information about the OWASP-Leaders mailing list