[Owasp-leaders] ISACA and OWASP

McGovern, James F. (P+C Technology) James.McGovern at thehartford.com
Wed May 19 12:02:19 EDT 2010


Yesterday, The Hartford chapter of OWASP had a combined meeting with
folks from ISACA making it one of the largest attended events we have
ever hosted. I would strongly encourage other chapter leaders to
consider organizing a similar event. Many people joke about the fact
that there is less fear of either outside blackhats or even rogue
employees and that people fear auditors the most. So, the key action
item is to get auditors to not only understand the OWASP value
proposition, but to want to actively encourage others to participate in
it as well.

One of the common themes that I have been thinking about and has been
amplified by many auditors is that OWASP looks at things through the
lens of security but otherwise does a poor job of explaining things in
business terms. For example, many of us use static analysis tools that
create lots of metrics. While we can get academic in conversations
around false positives, false negatives, etc, a better conversation
would be for us to figure out some method for reliably translating
static analysis findings to something that feels like the OWASP risk
rating method. Today, there is no easy to understand traceable method
between these two constructs.

For our particular meeting, I presented SAMM and they were incredibly
supportive of the assessment worksheet. More importantly, I discovered
that auditors weren't even aware that OWASP even had a new version of
the Top Ten. By pointing out the clause within PCI that states
organizations need to align with the updated version was an awakening
for many. We need to figure out how to communicate the OWASP Top Ten to
other communities with IT audit being the one of highest priority.


************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100519/5ca2123f/attachment-0001.html 


More information about the OWASP-Leaders mailing list