How is secure coding sold within enterprises?

[James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))]

Thanks for the response. I already own the book and understand how to engage vendors. Where I am seeking assistance is 
all the work that goes on within a large enterprise before these two things occur. The ideal situation for me would be 
to get my hands on the five to ten page Powerpoint slide deck that others who have blazed this path before me have used 
to sell the notion to their executives.

-----Original Message-----
From: Andrew van der Stock [mailto:vanderaj at owasp.org]
Sent: Monday, March 19, 2007 5:06 PM
To: McGovern, James F (HTSC, IT)
Cc: SC-L
Subject: Re: [SC-L] How is secure coding sold within enterprises?


In terms of creating a SDLC, pop out to Borders and get Howard and Lipner's "The Security Development Lifecycle" ISBN 
9780735622142

http://www.microsoft.com/mspress/books/8753.aspx

It is simply the best text I've read in a long time. 

You may be interested in the work Mark Curphey et al is doing at his new start up. They launched an ISM portal a couple 
of weeks back. 

http://www.ism-community.org/

If you're just after ideas on how to engage vendors, check out Curphey's blog for some nice insider posts:

http://securitybuddha.com/2007/03/07/top-10-tips-for-hiring-web-application-pen-testers/
http://securitybuddha.com/2007/03/07/top-ten-tips-for-hiring-security-code-reviewers/
http://securitybuddha.com/2007/03/08/top-ten-tips-for-managing-technical-security-folks/

He ran Foundstone's services for a while, and built up a pretty good consultancy. 

The sort of metrics you're after are notoriously hard to find out in the wild. There's some folks capturing screenshots 
of enterprise dashboards. This may or may not help at all. 

http://dashboardspy.com/

Thanks,
Andrew


On 3/19/07 4:12 PM, "McGovern, James F (HTSC, IT)" <James.McGovern at thehartford.com> wrote:



I agree with your assessment of how things are sold at a high-level but still struggling in that it takes more than 
just graphicalizing of your points to sell, hence I am still attempting to figure out a way to get my hands on some PPT 
that are used internal to enterprises prior to consulting engagements and I think a better answer will emerge. PPT may 
provide a sense of budget, timelines, roles and responsibilities, who needed to buy-in, industry metrics, quotes from 
noted industry analysts, etc that will help shortcut my own work so I can start moving towards the more important stuff.



-----Original Message-----
From: Andrew van der Stock  [ mailto:vanderaj at owasp.org]
Sent: Monday, March 19, 2007 2:50  PM
To: McGovern, James F (HTSC, IT)
Cc:  SC-L
Subject: Re: [SC-L] How is secure coding sold within  enterprises?

There are two major methods:

 


1.      Opportunity cost / competitive advantage (the  Microsoft model)   

2.      Recovery cost reductions (the model used by most  financial institutions)



Generally,  opportunity cost is where an organization can further its goals by a secure  business foundation. This 
requires the CIO/CSO to be able to sell the business  on this model, which is hard when it is clear that many 
businesses have been  founded on insecure foundations and do quite well nonetheless. Companies that  choose to be 
secure have a competitive advantage, an advantage that will  increase over time and will win conquest customers. For 
example (and this is  my humble opinion), Oracle's security is a long standing unbreakable joke, and  in the meantime 
MS ploughed billions into fixing their tattered reputation by  making it a competitive advantage, and thus making their 
market dominance  nearly complete. Oracle is now paying for their CSO's mistake in not  understanding this model 
earlier. Forward looking financial institutions are  now using this model, such as my old bank's (with its SMS 
transaction  authentication feature) winning many new customers by not only promoting  themselves as secure, but doing 
the right thing and investing in essentially  eliminating Internet Banking fraud. It saves them money, and it works 
well for  customers. This is the best model, but the hardest to sell.

The second  model is used by most financial institutions. They are mature risk managers  and understand that a certain 
level of risk must be taken in return for doing  business. By choosing to invest some of the potential or known losses 
in  reducing the potential for massive losses, they can reduce the overall risk  present in the corporate risk 
register, which plays well to shareholders. For  example, if you invest $1m in securing a cheque clearance process 
worth (say)  $10b annually to the business, and that reduces check fraud by $5m per year  and eliminates $2m of 
unnecessary overhead every year, security is an easy  sell with obvious targets to improve profitability. A well 
managed operational  risk group will easily identify the riskiest aspects of a mature company's  activities, and it's 
easy to justify improvements in those areas. 

The  FUD model (used by many vendors - "do this or the SOX boogeyman will get you")  does not work.

The do nothing model (used by nearly everyone who  doesn't fall into the first two categories) works for a time, but 
can  spectacularly end a business. Card Systems anyone? Unknown risk is too risky a  proposition, and is plain director 
negligence in my view.  

Thanks,
Andrew 


On 3/19/07 11:35 AM, "McGovern, James F  (HTSC, IT)" <James.McGovern at thehartford.com> wrote:

 


I am attempting to figure out how other Fortune enterprises have  went about selling the need for secure coding 
practices and can't seem to  find the answer I seek. Essentially, I have discovered that one of a few  scenarios exist 
(a) the leadership chain was highly technical and  intuitively understood the need (b) the primary business model of 
the  enterprise is either banking, investments, etc where the risk is perceived  higher if it is not performed (c) it 
was strongly encouraged by a member of  a very large consulting firm (e.g. McKinsey, Accenture,  etc).

I would like to understand what does the Powerpoint deck that  employees of Fortune enterprises use to sell the concept 
PRIOR  to bringing in consultants and vendors to help them fulfill the need. Has  anyone ran across any PPT that best 
outlines this for demographics where the  need is real but considered less important than other  intiatives?


*************************************************************************
This  communication, including attachments, is
for the exclusive use of  addressee and may contain proprietary,
confidential and/or privileged  information.  If you are not the intended
recipient, any use,  copying, disclosure, dissemination or distribution is
strictly  prohibited.  If you are not the intended recipient, please  notify
the sender immediately by return e-mail, delete this communication  and
destroy all  copies.
*************************************************************************

 

  _____  

_______________________________________________
Secure  Coding mailing list (SC-L) SC-L at securecoding.org
List information,  subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List  charter available at - http://www.securecoding.org/list/charter.php
SC-L  is hosted and moderated by KRvW Associates, LLC ( http://www.KRvW.com)
as a free,  non-commercial service to the software security  community.
_______________________________________________







  _____  

_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC ( http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070320/7811aff3/attachment.html