Building Security In vs Auditing

[James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))]

Gary, I would love a little refinement of the benefits to badnessometers. Let's say I get a tool to tell me something I 
already suspect is wrong, what percentage of the population are better than they expected? The reason why I ask this 
question is that in our culture if I have a sense something is wrong, it usually isn't that difficult to find metrics 
as to why it is bad and therefore may have the perception of crying wolf as there are lots of bad things in all IT 
systems. Sometimes, going from good to great is a better approach than fixing bad and going to good.

Is it better to do such a badness test by doing a POC with one of the tool vendors in this space or do I get additional 
lift by going with a consulting firm in this regard (other than an opportunity to be smoozed regarding subsequent 
engagements and reused powerpoints and collateral from other gigs)?

What would it take to get some industry analyst coverage in this space? Lots of folks may be of the belief that it is a 
waste of time bothering but I would love to at least know if any of the firms here have at least made the effort.

-----Original Message-----
From: Gary McGraw [mailto:gem at cigital.com]
Sent: Tuesday, January 02, 2007 1:35 PM
To: McGovern, James F (HTSC, IT); sc-l at securecoding.org
Subject: RE: [SC-L] Building Security In vs Auditing


Hi all,

Very good questions.  

I think a service like the one you describe would be useful mostly as a way of identifying the depth of the problem.  
Simply wielding a tool as a consultant does nothing to train the guys creating bugs not to do so in the future...and so 
the market will correct that over time in an efficient way.  But the fact remains that many potential customers and 
users of static analysis tools have no idea how much of a mess they have.  An outsourcing approach could help with 
that.  They'll find out they need em.

I believe so strongly in the "do anything to get started" thing that I also endorse the use of (really amazingly silly) 
application security testing tools.  I call these badnessometers (see chapter 1 of "software security"...and ken's 
slides for that matter).  But knowing that your web code sucks is better than remaining completely clueless.

In the end, tool integration *into dev* is the key to success with static analysis.  Many of our customers are having 
huge enterprise-wide success because they are learning to use, feed, tune, and train dev about these tools.  The best 
are recycling the things they learn about their code back into training (and into better rules to enforce).

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
book www.swsec.com.



*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************