[Owasp-leaders] OWASP GRC

James McGovern JMcGovern at virtusa.com
Thu Feb 10 11:17:42 EST 2011

Had an opportunity to talk with other Security Architects in the
Hartford CT area about the changing landscape of security. We now have
static analysis tools, pen test tools, etc all which are useful in
remediating insecure applications. We all came to the conclusion that
way too many people who aren't infosec literate will continue to
question the size and scope of infosec going forward and that we don't
have a way for them to participate.

Generally speaking, when most corporations want to understand the
challenges in front of them, they start with an "inventory" mindset
which leads them away from necessarily worrying about how to fix things
and more towards a path that is all about classification and capture.
This begs several questions in my mind that OWASP projects should

1. Is the effort that Dinis is leading to expose "findings" in an open
manner, a way to also populate GRC tools?
2. How should GRC tools and their vendors think about SAMM? Could this
be an extension to say EMC's Archer?
3. Do we think that the various checklists we have created would also be
valuable to an auditor if captured for each and every project within a
GRC context?

Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.


This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.


More information about the OWASP-Leaders mailing list