Secure Coding mailing list archives
BSIMM update (informIT)
From: James.McGovern at thehartford.com (McGovern, James F. (eBusiness))
Date: Wed, 3 Feb 2010 10:06:21 -0500
While Wall Street's definition of risk collapsed, the insurance model of risk stood the test of time :-) Should we explore your question of "how are risk levels defined in business terms" more deeply or can we simply say that if you don't have your own industry-specific regulatory way of quantifying, a good starting point may be to leverage the OWASP Risk Rating system? I also would like to challenge and say NO to prescriptive. Security people are not Vice Presidents of the NO department. Instead we need to figure out how to align with other value systems (Think Agile Manifesto). We can be secure without being prescriptive. One example is to do business exercises such as Protection Poker. Finally, we shouldn't say yes to regulatory mandates as most of them are misses on the real risk at hand. The challenge here is that they always mandate process but never competency. If a regulation said that I should have someone with a fancy title overseeing a program, the business world would immediately fill the slot with some non-technical resource who is really good at PowerPoint but nothing else. In other words a figurehead. Likewise, while regulations cause people to do things that they should be doing independently, it has a negative side effect on our economy by causing folks to spend money in non-strategic ways. -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Benjamin Tomhave Sent: Tuesday, February 02, 2010 10:19 PM To: Arian J. Evans Cc: Secure Code Mailing List Subject: Re: [SC-L] BSIMM update (informIT) <soapbox>While I can't disagree with this based on modern reality, I'm increasingly hesitant to allow the conversation to bring in risk, since it's almost complete garbage these days. Nobody really understands it, nobody really does it very well (especially if we redact out financial services and insurance - and even then, look what happened to Wall Street risk models!), and more importantly, it's implemented so shoddily that there's no real, reasonable way to actually demonstrate risk remediation/reduction because talking about it means bringing in a whole other range of discussions ("what is most important to the business?" and "how are risk levels defined in business terms?" and "what role do data and systems play in the business strategy?" and "how does data flow into and out of the environment?" and so on). Anyway... the long-n-short is this: let's stop fooling ourselves by pretending that risk has anything to do with these conversations.</soapbox> I think: - yes to prescriptive! - yes to legal/regulatory mandates! - caution: we need some sort of evolving maturity framework to which the previous two points can be pegged! cheers, -ben ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************
Current thread:
- Metrics, (continued)
- BSIMM update (informIT) Arian J. Evans (Feb 02)
- BSIMM update (informIT) Steven M. Christey (Feb 02)
- BSIMM update (informIT) Mike Boberski (Feb 02)
- BSIMM update (informIT) Gary McGraw (Feb 03)
- BSIMM update (informIT) Gary McGraw (Feb 03)
- BSIMM update (informIT) Mike Boberski (Feb 02)
- BSIMM update (informIT) Gary McGraw (Feb 03)
- BSIMM update (informIT) Benjamin Tomhave (Feb 02)
- BSIMM update (informIT) McGovern, James F. (eBusiness) (Feb 03)
- BSIMM update (informIT) Benjamin Tomhave (Feb 03)
- BSIMM update (informIT) McGovern, James F. (eBusiness) (Feb 03)
- BSIMM update (informIT) Gary McGraw (Feb 03)
- BSIMM update (informIT) Arian J. Evans (Feb 04)