Re: A Question of Quality

["Alexander Bermudez" <abermudez72 () hotmail com>]

Pride of ownership may very well be the reason for lack of adequate QC and 
Security control but my take is that it might have something to do with 
security professionals not doing a good enough job of selling the value of 
security in the SDLC. If the decision makers could be educated on the 
contractual and regulatory obligations for secure coding (think PCI and 
SOX), coupled with meaningful deliverables (no Nessus or Webinspect scan 
reports w/tons of false positives), we might begin to see greater support 
for inviting security pros to inception of project rather than remaining as 
an afterthought, when the application has already been released to 
production.

Security, privacy, compliance requirements have to be built into the product 
lifecycle from the beginning (I know. I'm preaching to the choir) and it has 
to be based on sound risk management principles, taxonomy, and jargon that 
can be understood by the business. How else do we expect to get buy in to 
our sell.

Just my 2 cents.


--------------------------------------------------
From: "Robert Hajime Lanning" <robert.lanning () gmail com>
Sent: Sunday, November 02, 2008 11:24 AM
To: "Security Basics" <security-basics () securityfocus com>; "Web Application 
Security" <webappsec () securityfocus com>
Subject: Re: A Question of Quality

> On Thu, Oct 30, 2008 at 4:55 PM, Yousef Syed <yousef.syed () gmail com> 
> wrote:
> > Why isn't Quality Assumed?
> > Why isn't Security Assumed?
> > Why are these concepts thought of as add ons to Applications and 
> > Services?
> >
> > Why do they need to be specified, when they should be taken for granted?
> >  - Input Validation
> >  - Boundary Conditions
> >  - Encrypt Data as necessary
> >  - Least Privilege Access
> >  - White lists are better than Black lists
>
> I believe one of the issues is, pride of ownership in the end product.
>
> A lot of the coding is now outsourced to cheap code houses.  These people
> do not have ownership or attribution.  They have no reason to take any 
> extra
> steps, that are not specified in the contract.  If it is not in the
> contract, they
> are not being paid for it.
>
> It's like a building contractor.  If it is not in the blue prints, it
> does not go into
> the finished building.  That is why a building spec is a thick book, that 
> goes
> all the way to specifying the exact screw to use.
>
> --
> And, did Galoka think the Ulus were too ugly to save?
>                                         -Centauri
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
> Methodologies & Tools for Web Application Security Assessment
> With the rapid rise in the number and types of security threats, web 
> application security assessments should be considered a crucial phase in 
> the development of any web application. What methodology should be 
> followed? What tools can accelerate the assessment process? Download this 
> Whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------