Secure Coding mailing list archives
FW: How Can You Tell It Is Written Securely?
From: James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))
Date: Mon, 1 Dec 2008 17:08:49 -0500
Some other thoughts that I haven't heard others mention? 1. OK, if you find that they didn't meet all the security requirements, will your business customers still want you to put it into production anyway? If the answer is yes, do you still want them to support it? How do we quantify who is responsible if a breach happens and you gave them a waiver. 2. security clauses have a side effect in contracts that others need to noodle. If you have a clause that can only be measured over a longer timespan, it tickers with revenue recognition. So, how long do you want folks to certify that things are secure. 3. I like secure coding as much as the next guy and checking for CSRF is a good thing. How about noodling requirements around logging such that if they didn't get it right upfront that you at least have something forensically useful for after the fact? 4. While we are all developers, do you think there is merit in addressing roles of vendors especially non-development? For example, is it valuable to have them have on staff a security architect with lots of credentials that is separate from the development lifecycle (distinct from being totally ivory tower or hands-off)? 5. How much more are folks willing to pay to build security in? This kinda doesn't align with going offshore to get cheapest resource. It is in their best interest to be an impediment to this goal and you need to define things in a more friendly manner. Coming out of the gate by throwing others under the bus probably will not get you what you desire (of course, it is a tactic I use way too much) ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************
Current thread:
- How Can You Tell It Is Written Securely?, (continued)
- How Can You Tell It Is Written Securely? McGovern, James F (HTSC, IT) (Nov 30)
- How Can You Tell It Is Written Securely? Andrew van der Stock (Dec 02)
- How Can You Tell It Is Written Securely? ljknews (Dec 02)
- How Can You Tell It Is Written Securely? McGovern, James F (HTSC, IT) (Nov 30)
- How Can You Tell It Is Written Securely? Stephen Craig Evans (Dec 01)
- FW: How Can You Tell It Is Written Securely? Herman Stevens (Dec 01)
- FW: How Can You Tell It Is Written Securely? Marcin Wielgoszewski (Dec 01)
- FW: How Can You Tell It Is Written Securely? Herman Stevens (Dec 01)
- FW: How Can You Tell It Is Written Securely? McGovern, James F (HTSC, IT) (Dec 01)
- FW: How Can You Tell It Is Written Securely? Jim Manico (Dec 01)
- FW: How Can You Tell It Is Written Securely? McGovern, James F (HTSC, IT) (Dec 01)
- FW: How Can You Tell It Is Written Securely? McGovern, James F (HTSC, IT) (Dec 01)
- FW: How Can You Tell It Is Written Securely? Marcin Wielgoszewski (Dec 01)