[Owasp-leaders] Very interesting 'How Secure are we' disclosure from LockBox
Erwin Geirnaert
erwin.geirnaert at zionsecurity.com
Fri Oct 14 10:06:33 EDT 2011
What would be even more interesting is to compare peers in the same industry on a maturity level
Security managers often need to defend their projects to a board of directors that just want to know what others are doing…
Best regards,
Erwin
Van: Eoin <eoin.keary at owasp.org<mailto:eoin.keary at owasp.org>>
Datum: Fri, 14 Oct 2011 07:00:27 -0700
Aan: dan cornell <dan.cornell at owasp.org<mailto:dan.cornell at owasp.org>>
CC: "owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>" <owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>>
Onderwerp: Re: [Owasp-leaders] Very interesting 'How Secure are we' disclosure from LockBox
I've done the same in EU with some Global Insurance companies.
They have been very receptive of the output and valued it in terms of "where to go next" and also "how do I get there".
I agree with dan as its kind of a SAS70 to demonstrate their diggigence to app security.
It would be good to formulise it as a "APP70" framework?
Eoin
On 14 October 2011 11:41, dan cornell <dan.cornell at owasp.org<mailto:dan.cornell at owasp.org>> wrote:
We've had some success with clients using a combination of OpenSAMM to
describe the state of their security processes along with ASVS to
describe the security state of specific applications at a specific
point in time. This has been helpful for some financial service
providers who get lots of requests to "prove" the security of their
applications from credit unions, regional banks, etc. It gives them
one set of documents to ship around rather than having every partner
on the planet run their own goofy application scan or "pen test" of
dubious quality. Kind of like an application security SAS70.
We've been pushing those folks to go more public with their approach;
this is a work in progress.
Thanks,
Dan
On Thu, Oct 13, 2011 at 4:41 PM, dinis cruz <dinis.cruz at owasp.org<mailto:dinis.cruz at owasp.org>> wrote:
> http://golockbox.com/about/LockBoxSftSecurity.aspx (see
> also http://golockbox.com/dataprotection/d3p.aspx)
> Anybody knows the members of their security team?
> I would like to invite them to help re-kickstarting
> the https://www.owasp.org/index.php/Category:OWASP_Positive_Security_Project (maybe
> with a touch
> of https://www.owasp.org/index.php/Don't_Judge_a_Website_by_its_Icon_-_Read_the_Label<https://www.owasp.org/index.php/Don%27t_Judge_a_Website_by_its_Icon_-_Read_the_Label>!)
> Dinis Cruz
>
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders
--
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author
https://twitter.com/EoinKeary
http://twitter.com/BCCRiskAdvisory
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111014/c7675ad3/attachment.html
More information about the OWASP-Leaders
mailing list