Darkreading: Getting Started

[gunnar at arctecgroup.net (Gunnar Peterson)]

Another approach is decentralized specialized teams, centers of excellence
in current managementspeak, with a specific agenda and expertise on an area
deemed strategic. This approach is probably best paired with 2,3, or 4 from
your list. For example, a roving specialized threat modeling team that works
with many groups to help develop threat models, attack patterns, tests, and
so on. Or a roving team that focuses on build secure web apps and cuts
across groups for specialized tasks for secure web app dev, say how do I use
cardspace in my web app?

Once you figure out what your strategic goals are for security - threat
modeling, cardspace, static analysis, secure web app deve, etc. You can use
#2 to focus them on the right stuff, or use #3 as roving advisers (like the
cia in the cold war), or in #4 arm them with a tool or technology like XML
Security gateway or static analysis tools to make a small band more
effective in a large organization.

-gp


On 1/9/08 6:48 PM, "Gary McGraw" <gem at cigital.com> wrote:

> hi sc-l,
>
> One of the biggest hurdles facing software security is the problem of how to
> get started, especially when faced with an enterprise-level challenge.  My
> first darkreading column for 2008 is about how to get started in software
> security.  In the article, I describe four approaches:
> 1. the top-down framework;
> 2. portfolio risk;
> 3. training first; and
> 4. leading with a tool.
>
> We've tried them all with some success at different Cigital customers.
>
> Are there other ways to get started that have worked for you?
>
> By the way, I can use your help.  Darkreading is beginning to track reaction
> to topics more carefully than in the past.  You can help make software
> security more prominent by reading the article and passing the URL on to
> others you may find interested.  Another thing that helps is posting to the
> message boards.  Thanks in advance.
>
> Here's to even more widespread software security in 2008!
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________