Security Basics mailing list archives
Re: A Question of Quality
From: "Alexander Bermudez" <abermudez72 () hotmail com>
Date: Sun, 30 Nov 2008 08:32:03 -0800
Pride of ownership may very well be the reason for lack of adequate QC and Security control but my take is that it might have something to do with security professionals not doing a good enough job of selling the value of security in the SDLC. If the decision makers could be educated on the contractual and regulatory obligations for secure coding (think PCI and SOX), coupled with meaningful deliverables (no Nessus or Webinspect scan reports w/tons of false positives), we might begin to see greater support for inviting security pros to inception of project rather than remaining as an afterthought, when the application has already been released to production.
Security, privacy, compliance requirements have to be built into the product lifecycle from the beginning (I know. I'm preaching to the choir) and it has to be based on sound risk management principles, taxonomy, and jargon that can be understood by the business. How else do we expect to get buy in to our sell.
Just my 2 cents. -------------------------------------------------- From: "Robert Hajime Lanning" <robert.lanning () gmail com> Sent: Sunday, November 02, 2008 11:24 AMTo: "Security Basics" <security-basics () securityfocus com>; "Web Application Security" <webappsec () securityfocus com>
Subject: Re: A Question of Quality
On Thu, Oct 30, 2008 at 4:55 PM, Yousef Syed <yousef.syed () gmail com> wrote:Why isn't Quality Assumed? Why isn't Security Assumed?Why are these concepts thought of as add ons to Applications and Services?Why do they need to be specified, when they should be taken for granted? - Input Validation - Boundary Conditions - Encrypt Data as necessary - Least Privilege Access - White lists are better than Black listsI believe one of the issues is, pride of ownership in the end product. A lot of the coding is now outsourced to cheap code houses. These peopledo not have ownership or attribution. They have no reason to take any extrasteps, that are not specified in the contract. If it is not in the contract, they are not being paid for it. It's like a building contractor. If it is not in the blue prints, it does not go intothe finished building. That is why a building spec is a thick book, that goesall the way to specifying the exact screw to use. -- And, did Galoka think the Ulus were too ugly to save? -Centauri ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security AssessmentWith the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Re: A Question of Quality Alexander Bermudez (Dec 01)