[SC-L] Darkreading: Getting Started

Jim Manico jim at manico.net
Thu Jan 10 00:50:25 EST 2008 

Gary,

Interesting article. May I ask, why get started with only one of these 
approaches? Since 1-3 effects different parts of the organization 
(portfolio risk seems like a biz-management approach, top-down framework 
seems to effect software development management, and training effects 
developers, primarily) - why not *start* an initiative on all levels? In 
fact, doesn't it really take all of the above to truly effect permanent 
change in an organization?

4) Makes me nervous. I worry if you just toss a very expensive static 
code analysis or app scanning tool at development staff, you only 
provide a false sense of security since the coverage of even the best 
application security tools is very limited. Doesn't it take rather 
in-depth developer training and awareness for a tool to be truly useful?

- Jim
> hi sc-l,
>
> One of the biggest hurdles facing software security is the problem of how to get started, especially when faced with an enterprise-level challenge.  My first darkreading column for 2008 is about how to get started in software security.  In the article, I describe four approaches:
> 1. the top-down framework;
> 2. portfolio risk;
> 3. training first; and
> 4. leading with a tool.
>
> We've tried them all with some success at different Cigital customers.
>
> Are there other ways to get started that have worked for you?
>
> By the way, I can use your help.  Darkreading is beginning to track reaction to topics more carefully than in the past.  You can help make software security more prominent by reading the article and passing the URL on to others you may find interested.  Another thing that helps is posting to the message boards.  Thanks in advance.
>
> Here's to even more widespread software security in 2008!
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>
>
>
>   

-- 

Best Regards,
Jim Manico
jim at manico.net
808.652.3805 (c)

More information about the SC-L mailing list