Secure Coding mailing list archives

Building Security In vs Auditing

From: James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))
Date: Tue, 2 Jan 2007 09:46:20 -0500

I read a recent press release in which a security vendor (names removed to both protect the innocent along with the 
fact that it doesn't matter for this discussion ) partnered with a prominent outsourcing firm. The press release was 
carefully worded but if you read into what wasn't said, it was in my opinion encouraging something that folks here tend 
to fight against. The outsourcing firm would use this tool in an auditing capacity for whatever client asked for 
another service but it would not become part of the general software development lifecycle for all projects. 

- It didn't mention any notion of all developers within the outsourcing firm having tools on their desktop to audit as 
they develop

- It didn't mention any notion of training all developers within the outsourcing firm on secure coding practices

- It did hint that one time periodic audits from a metrics perspective would be useful to clients that wanted this new 
service but didn't say how developers would be able to iterate on the code and reduce bugs. I would think that any 
offering that removes developers from the feedback loop while developing code and instead focusing on 
management-oriented (non-developer metrics) is generally a bad idea.

- It didn't mention even how many folks from their security practice were to receive training in secure coding practices

- Should we think of security as an extra "service" or something that should be incorporated into the SDLC in a 
consistent sustainable manner?


I am far offbase and drunk too much of Ken Van Wyk's Kool-aid from his wonderful training course by thinking that this 
type of initiative does more harm than good?


*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************

Current thread:

Building Security In vs Auditing McGovern, James F (HTSC, IT) (Jan 02)
- Building Security In vs Auditing ljknews (Jan 02)
- <Possible follow-ups>
- Building Security In vs Auditing Gary McGraw (Jan 02)
  - Building Security In vs Auditing McGovern, James F (HTSC, IT) (Jan 03)
- Building Security In vs Auditing Paco Hope (Jan 04)
  - Building Security In vs Auditing McGovern, James F (HTSC, IT) (Jan 05)
    - Building Security In vs Auditing Gunnar Peterson (Jan 06)
    - Code Analysis Tool Bakeoff John Steven (Jan 08)