WebApp Sec mailing list archives
Re: AppSic
From: George Capehart <gwc () acm org>
Date: Tue, 06 Jun 2006 20:09:15 -0400
Eoin wrote:
http://www.csoonline.com/podcasts/cso_appsic_022806.html Anyone have any insight into APPSIC? - They focus on App Sec metrics.
Sounds to me as if they're trying to rediscover the Certification and Accrediatation process . . .Notice that the C&A process is an internally-driven process which requires that real risk assessments be done and that business owners understand the risks that they face and have signed off on controls that will manage the risks to their level of tolerance. The APPSIC effort is a /*vendor*/ led process that, of course is going to focus on risks they have decided to try to control and ignore the others. Anyone who takes APPSIC seriously runs the risk of having their risk profiled defined for them and their risk management process run by APPSIC. Sorry, when I see Microsoft and Oracle on a security-related project, my only response is to fire up the bong so that I can have fun reading what they propose . . . . By now it should be pretty well known that when vendors get involved in "standards," their primary purpose is to get their own intrepretation included in the result. Sorry about the cynicism, and I wouldn't blame the moderator if he didn't post this . . . but history tells the story. The reason that OWASP, et al. have survived and had their work widely adopted is precisely because the parties involved had as their only motivation to put out a completely agnostic, but valid and informational product. Exercises left to the reader are the stories of ECMAscript and the IETF'S PKIX process . . . -- George Capehart PGP KeyID: 0xDD7034EA "Sometimes you're the windshield, sometimes you're the bug." -- Mark Knofler ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- AppSic Eoin (May 31)
- Re: AppSic George Capehart (Jun 07)