[SC-L] Integrated Dynamic and Static Scanning

[Brad Andrews]

While I completely agree with this statement, it is a much tougher  
sell to management that is seeking to keep the company making money  
(or perhaps even alive).  I believe that having (and using) an  
imperfect tool is better than nothing, so I would at least push for  
that.  Getting things that play well together is even better.

I think a complete overhaul and digging security flaws out is even  
better, but is a much harder sell in many places in my experience.   
Perhaps I am too jaded, but you have to work with what you can get  
approved and paid for.

The cost of the "indispensable" experience is much higher than most  
companies will stomach.  :)

Some companies do value it, but most haven't "seen the light" yet in  
my experience.  While that is limited compared to many on this list, I  
think my perspective is something that is easy to lose track of when  
you are fixing security issues every day.  Everyone doesn't share the  
vision, unfortunately.

And some of those that see the problem don't have the budget and  
executive support to fix the problem....

-- 

Brad Andrews
RBA Communications
CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI


Quoting Andre Gironda <andreg at gmail.com>:

> On 7/28/09, Brad Andrews <andrews at rbacomm.com> wrote:
>
> Experts can't be replaced by tools.