Darkreading: Getting Started

[gem at cigital.com (Gary McGraw)]

hi gp,

Yup.  I count that as 1 (top-down framework) because that approach often leads with the creation of a special ops 
execution team that becomes the software security group.  By far, this is the most impressive approach in terms of 
results and the one that is the most effective in well-run enterprises.

Please do note that getting started does not mean you have to stick with only one of the ways.  Any mature approach to 
software security requires aspects of each of the getting started ways.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

-----Original Message-----
From: Gunnar Peterson [mailto:gunnar at arctecgroup.net]
Sent: Wednesday, January 09, 2008 10:00 PM
To: Gary McGraw; Secure Mailing List
Subject: Re: [SC-L] Darkreading: Getting Started

Another approach is decentralized specialized teams, centers of excellence in current managementspeak, with a specific 
agenda and expertise on an area deemed strategic. This approach is probably best paired with 2,3, or 4 from your list. 
For example, a roving specialized threat modeling team that works with many groups to help develop threat models, 
attack patterns, tests, and so on. Or a roving team that focuses on build secure web apps and cuts across groups for 
specialized tasks for secure web app dev, say how do I use cardspace in my web app?

Once you figure out what your strategic goals are for security - threat modeling, cardspace, static analysis, secure 
web app deve, etc. You can use
#2 to focus them on the right stuff, or use #3 as roving advisers (like the cia in the cold war), or in #4 arm them 
with a tool or technology like XML Security gateway or static analysis tools to make a small band more effective in a 
large organization.

-gp


On 1/9/08 6:48 PM, "Gary McGraw" <gem at cigital.com> wrote:

> hi sc-l,
>
> One of the biggest hurdles facing software security is the problem of
> how to get started, especially when faced with an enterprise-level
> challenge.  My first darkreading column for 2008 is about how to get
> started in software security.  In the article, I describe four approaches:
> 1. the top-down framework;
> 2. portfolio risk;
> 3. training first; and
> 4. leading with a tool.
>
> We've tried them all with some success at different Cigital customers.
>
> Are there other ways to get started that have worked for you?
>
> By the way, I can use your help.  Darkreading is beginning to track
> reaction to topics more carefully than in the past.  You can help make
> software security more prominent by reading the article and passing
> the URL on to others you may find interested.  Another thing that
> helps is posting to the message boards.  Thanks in advance.
>
> Here's to even more widespread software security in 2008!
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org List
> information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at -
> http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC
> (http://www.KRvW.com) as a free, non-commercial service to the software security community.
> _______________________________________________