Re: Oracle CSO's Response to InfoSecMagazines Secure Coding Bah! [Virus checkedAU]

[Bruce.Morris () au ey com]

Hi Gang,

Reasonable = balance between risk, cost and benefits.  Secure coding is
about control in response to risk.  This requires an understanding and
assessment of the risk.  If internally developed - what does the
organisation stand to loose?  What is the likeihood that its going to get
trashed?  How much money is the organisation prepared to spend to mitigate
the exposure?
If a COTS type application - what sort of business/function is being
targeted with this application?  How serious will the security concerns of
purchasing organisations likely be?  Does the product require some
independent assessment to deliver an identifiable level of asssurance (eg a
DoD or common criteria type equivalent).

I appreciate the point -

Briney said, "Risk reduction is all about reducing vulnerabilities,
mitigating threats and lowering event costs." However, most customers
have almost no information on the security-worthiness of the products
they buy, and some risks can't be mitigated. The single best thing
the industry can do to mitigate users' risk is to write better
software.

Yes it is not practical, conceivable, cost effective or useful for all
products to submit to common criteria evaluation.  As coding guidelines are
specific to a toolset, risk assessment is specific to a product and
organisational context.

> From an audit perspective the question that comes to mind out of this is,
should there be a baseline specification for what minimum standards should
be applied in coding practices?  Can these be universally applicable?  At
which point do we move from putting up a sign to say "enter bridge at own
risk" to being able to have all drivers understand that a bridge will
reliably support one car and one car only at a time - unless otherwise
stated.

Using the electric kettle as an example, if the kettle isn't built to
certain minimum safety standards then the manufacturer will get sued if a
user gets electricuted, due to failure in duty of care.

I realise that that legal issues come into play here and an
organisational/country context also matters, however, is there a bottom
line which could be set for one and all, or can "control effectiveness"
type levels be added to existing guidelines that demosntrate measurable
bang-for-thebuck?  Is this generally desirable?

Cheers...keep up the great work.