Secure Coding mailing list archives
Building Security In vs Auditing
From: ljknews at mac.com (ljknews)
Date: Tue, 2 Jan 2007 13:17:16 -0500
At 9:46 AM -0500 1/2/07, McGovern, James F (HTSC, IT) wrote:
I read a recent press release in which a security vendor (names removed to both protect the innocent along with the fact that it doesn't matter for this discussion ) partnered with a prominent outsourcing firm. The press release was carefully worded but if you read into what wasn't said, it was in my opinion encouraging something that folks here tend to fight against. The outsourcing firm would use this tool in an auditing capacity for whatever client asked for another service but it would not become part of the general software development lifecycle for all projects. - It didn't mention any notion of all developers within the outsourcing firm having tools on their desktop to audit as they develop
From the information supplied, it is not clear that the tool is something
appropriate for the development environment. I develop a tool that could be used in a (certain) development environment, but that would only tell how the development environment was secured, having no effect on the degree to which the outsourced code was secure.
- It didn't mention any notion of training all developers within the outsourcing firm on secure coding practices
From the information supplied, it is not clear that the security vendor
is one that would be involved in training anyone. Limitations on a joint press release (one that names another company) are subject to severe negotiations. Even if the security firm _was_ going to do what you suggest, I can see a PR flack at the outsourcing firm resisting any public suggestion that any of their staff needed further training on any aspect of data processing. -- Larry Kilgallen
Current thread:
- Building Security In vs Auditing McGovern, James F (HTSC, IT) (Jan 02)
- Building Security In vs Auditing ljknews (Jan 02)
- <Possible follow-ups>
- Building Security In vs Auditing Gary McGraw (Jan 02)
- Building Security In vs Auditing McGovern, James F (HTSC, IT) (Jan 03)
- Building Security In vs Auditing Paco Hope (Jan 04)
- Building Security In vs Auditing McGovern, James F (HTSC, IT) (Jan 05)
- Building Security In vs Auditing Gunnar Peterson (Jan 06)
- Code Analysis Tool Bakeoff John Steven (Jan 08)
- Building Security In vs Auditing McGovern, James F (HTSC, IT) (Jan 05)