Secure Coding mailing list archives
How Can You Tell It Is Written Securely?
From: stephencraig.evans at gmail.com (Stephen Craig Evans)
Date: Mon, 1 Dec 2008 22:50:14 +0800
Hi Mark, What I have seen is that the organization develops security standards/guidelines and secure coding guidelines tailored to the org. If the org is big enough to have its own security team, then they do it; if not, then they hire consultants to do it. It's not too difficult to find out amongst the consultants who has the experience and who doesn't. Those standards and guidelines are updated either every year or two, or before the next big project. External consultant(s) - not the internal security team within the organization (if it exists) - then does audits at milestones of the project implemented by the outsourcing organization and reports on the conformance to the guidelines and standards, and anything else that might have been left out (which then results in updated standards and guidelines). For non-conformant issues, the 3 groups get together and decide what to do about it. If a direct solution is not possible, often other security controls can be tweaked or enhanced to make that particular risk acceptable or eliminated. This type of system has clear separation of duties. Stephen On Thu, Nov 27, 2008 at 10:03 AM, Mark Rockman <mrockman at acm.org> wrote:
OK. So you decide to outsource your programming assignment to Asia and demand that they deliver code that is so locked down that it cannot misbehave. How can you tell that what they deliver is truly locked down? Will you wait until it gets hacked? What simple yet thorough inspection process is there that'll do the job? Doesn't exist, does it? MARK ROCKMAN MDRSESCO LLC _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- How Can You Tell It Is Written Securely? Mark Rockman (Nov 26)
- How Can You Tell It Is Written Securely? ljknews (Nov 27)
- How Can You Tell It Is Written Securely? Stephen Craig Evans (Nov 27)
- How Can You Tell It Is Written Securely? Dana Epp (Nov 27)
- How Can You Tell It Is Written Securely? Jim Manico (Nov 27)
- How Can You Tell It Is Written Securely? McGovern, James F (HTSC, IT) (Nov 30)
- How Can You Tell It Is Written Securely? Andrew van der Stock (Dec 02)
- How Can You Tell It Is Written Securely? ljknews (Dec 02)
- How Can You Tell It Is Written Securely? McGovern, James F (HTSC, IT) (Nov 30)
- How Can You Tell It Is Written Securely? Stephen Craig Evans (Dec 01)
- <Possible follow-ups>
- FW: How Can You Tell It Is Written Securely? Herman Stevens (Dec 01)
- FW: How Can You Tell It Is Written Securely? Marcin Wielgoszewski (Dec 01)
- FW: How Can You Tell It Is Written Securely? Herman Stevens (Dec 01)
- FW: How Can You Tell It Is Written Securely? McGovern, James F (HTSC, IT) (Dec 01)
- FW: How Can You Tell It Is Written Securely? Jim Manico (Dec 01)
- FW: How Can You Tell It Is Written Securely? McGovern, James F (HTSC, IT) (Dec 01)
- FW: How Can You Tell It Is Written Securely? McGovern, James F (HTSC, IT) (Dec 01)
- FW: How Can You Tell It Is Written Securely? Marcin Wielgoszewski (Dec 01)