[Owasp-leaders] Question on ISACA

ludovic petit ludovic.petit at owasp.org
Thu Nov 5 04:59:50 EST 2009

Futher to what James' said, *"one of the observations is that IT auditors
have zero clue as to how to audit a secure coding practice"*, my view is
that in such a case, IT auditors involved in such an audit must have a
coding background for a quite simple reason: how can they expect to
understand a coding practice approach, specially a secure one, if they do
not have any clue of the necessary context of synthesys to do so?
So in that sense, evidence of developer training might be a good start.
However, we need to help auditors AND managers understand the non-technical
things, and I think that this could be possible through a document
explaining why a secure coding practice is needed and if not done, what are
the real impacts (technical, but more important... business-related, legal)
for a company and its Executives as well.
We (Owasp France staff) have created a document in France for Managers,
explaining (from a high level approach) why it's important to secure
WebApps... with a focus about Legal and the OWASP Secure Software Contract
Annex. (

Ludovic Petit
OWASP France Chapter Leader
*From:* owasp-leaders-bounces at lists.owasp.org [mailto:
owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *McGovern, James F.
*Sent:* Wednesday, November 04, 2009 4:38 PM
*To:* owasp-leaders at lists.owasp.org; sc-l at securecoding.org
*Subject:* [Owasp-leaders] Question on ISACA

 John Morency of Gartner just finished giving a presentation to our IT
executives and one of the observations is that IT auditors have zero clue as
to how to audit a secure coding practice. IT audit right now is limited to
simply looking at "control" documents and viewing things through the lens of
"infrastructure". Is there something we as a community should be doing to
make auditors smarter?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091105/1730d266/attachment.html 

More information about the OWASP-Leaders mailing list