Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

The Next Frontier

From: James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))
Date: Tue, 26 Jun 2007 18:00:00 -0400
Awhile back, someone asked the question of what should this list
collectively work on next. Today, I attended a demo from Fortify
Software and an idea appeared. It seems as if OWASP has a taxonomy of
all ways of classifying defects. Likewise, all of the tools emit some
form of information to be consumed by the audit role. 

Would there be value in terms of defining an XML schema that all tools
could emit audit information to? My thought is that this could solve
several problems. For example, if a large enterprise wanted to put in
their outsourcing contract that their outsourcer use a tool (any tool)
but also had to provide the audit results in a normalized markup
language then they could build trends, do analysis at a higher level to
look at common problems and so on.

Likewise, in situations where one doesn't necessarily have access to
source code (say Oracle, BEA, Microsoft and so on), we could ask for
evidence of what tests where ran and the results without having access
to the actual source code. Likewise, if there were a way to capture
signoffs and digitally sign portions then that could be something put
into the contract as well.

Thoughts?


*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************
Previous By Date Next
Previous By Thread Next

Current thread: