P's and C's of Internal Code Auditing ?

[Orlando Padilla <xbud () g0thead com>]

Hi all,

I'm looking to formulate a good list of pros and cons on how having an 
*internal* code auditing team (working closely with Dev/QA) would 
provide more value than damage to a company's overall reputation.  Most 
of the examples I've seen/read about as in "Practical Cryptography - 
Bruce and Neils" and "Building Secure Software - Viega and Mcgraw" iirc 
- do elaborate on the value a security architect would provide during QA 
periods and more importantly during design phase.  However they 
discredited these statements and their value by stating the tradeoff 
between having a good standing in the security industry and what it 
costs to dish out secure applications doesn't pay off.

Is this really always the case?

I understand that some companies simply cannot afford the cost of having 
expensive 'Security Architects' to work with their main dev teams, but 
I'd like to focus on the fortune 100-500 corps who can.

I apolgize ahead of time for re-posting a relatively popular question, 
but I failed to get anything useful out of google or old mailing list 
archives on the topic.

Orlando

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave