OWASP Publicity

[list-procurare at secureconsulting.net (Benjamin Tomhave)]

I agree and disagree with these comments, as I think they possibly
represent an outmoded way of thinking when it comes to IT management.
Execs and senior mgmt _must_ have a certain understanding of security
that will at least give them a basis for making risk decisions. It seems
today that they are fine (generally) making business risk decisions, but
then believe falsely that making an IT risk decision requires following
a completely different set of rules (when, in fact, it's just another
kind of business risk decision). I'm of the belief that this directly
correlates to their lack of fundamental understanding of IT and security
issues.

Where I agree is the level of detail that needs to be imparted. OWASP
Top 10 is probably too much detail to communicate to the average exec or
sr manager. However, we must not overlook that these business leaders
were once individual contributors. Yes, it's true that some of these
folks came up through a strictly business route, but for the most part
these days I see these careers originating in at least a semi-technical
role. We should be seeking to leverage those backgrounds to educate them
and bring them to modern times.

On Crispin's later comments about bad vs good managers, I think he's
very much hit the nail on the head (see the quote in my sig). However,
there's one aspect that's overlooked, which is outdated prior history.
If an executive's understanding of technology is founded in their first
contributions as an individual contributor 10-20 years ago, then this
means their understanding of modern technology may be severely limited.
I'm sure all of us understand how difficult it is to stay on top of
current trends as technology evolves, and it's often our job to do so.
What if it's not your job to keep current? The times will change while
your focus is elsewhere, but only a truly savvy person will think to
check that context before making decisions that affect it. This seems to
be a rarity.

So, to conclude, I think that it would be valuable, in broad brush
strokes, to educate leaders about secure coding - and security in
general - but perhaps not to the level of detail we might really desire
to see. We want execs and sr managers to drive their folks toward secure
coding practices, but that doesn't mean they themselves have to know how
to code securely. As such, in targeting these other publications, the
message should be refined to be business-oriented, extolling the
business risks associated with ignoring these practices and providing a
big arrow pointing in the direct of orgs like OWASP.

fwiw.

-ben

-- 
Benjamin Tomhave, MS, CISSP
falcon at secureconsulting.net
Web: http://falcon.secureconsulting.net/
LI: http://www.linkedin.com/in/btomhave
Blog: http://www.secureconsulting.net/
Photos: http://photos.secureconsulting.net/

[ Random Quote: ]
"If a man is offered a fact which goes against his instincts, he will
scrutinize it closely, and unless the evidence is overwhelming, he will
refuse to believe it. If, on the other hand, he is offered something
which affords a reason for acting in accordance to his instincts, he
will accept it even on the slightest evidence. The origin of myths is
explained in this way."
Bertrand Russell

Crispin Cowan wrote:
> McGovern, James F (HTSC, IT) wrote:
> > I have observed an interesting behavior in that the vast majority of IT
> > executives still haven't heard about the principles behind secure
> > coding. My take says that we are publishing information in all the wrong
> > places. IT executives don't really read ACM, IEEE or other the sporadic
> > posting from bloggers but they do read CIO, Wall Street Journal and most
> > importantly listen to each other.
> >
> > What do folks on this list think about asking the magazines and
> > newspapers to publish? I am willing to gather contact information of
> > news reporters and others within the media if others are willing to
> > amplify the call to action in terms of contacting them. 
> >   
> The vast majority of IT executives are unfamiliar with all of the
> principles of security, firewalls, coding, whatever.
>
> The important thing to understand is that such principles are below
> their granularity; then are *right* to not care about such principles,
> because they can't do anything about them. Their granularity of decision
> making is which products to buy, which strategies to adopt, which
> managers to hire and fire. Suppose they did understand the principles of
> secure coding; how then would they use that to decide between firewalls?
> Web servers? Application servers?
>
> If anything, the idea that needs to be pitched to IT executives is to
> pay more attention to "quality" than to shiny buttons & features. But
> there's the rub, what is "quality" and how can an IT executive measure it?
>
> I have lots of informal metrics that I use to measure quality, but they
> largely amount to synthesized reputation capital, derived from reading
> bugtraq and the like with respect to how many vulnerabilities I see with
> respect to a given product, e.g. Qmail and Postifx are extremely secure,
> Pidgin not so much :)
>
> But as soon as we formalize anything like this kind of metric, and get
> executives to start buying according to it, then vendors start gaming
> the system. They start developing aiming at getting the highest
> whatever-metric score they can, rather than for actual quality. This
> happens because metrics that approximate quality are always cheaper to
> achieve than actual quality.
>
> This is a very, very hard problem, and sad to say, but pitching articles
> articles on principles to executives won't solve it.
>
> Crispin