Re: How have you climbed the wall?

["Wall, Kevin" <Kevin.Wall () qwest com>]

Rohit Sethi wrote:

> Recently I sent a note about the Organic Progression of the Secure SDLC.
> One of the major points that we raise in that model is the difficulty with
> "Climbing the Wall": Getting the lines of business to commit resource
> to application/software security. This is one of the most fundamental
> challenges in building a secure SDLC.
>
> We offer some simple high level thoughts and a PPT deck you can use here:
> http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cycle-9-steps/how-climb-wall/
>
> I'm curious to see what others have  have done / seen to climb the
> wall effectively

I can't speak for others--although I think that the BSIMM data bears this
out--is that our company formed a separate Application Security team. This team
was placed within the IT organization (vs. under Risk Management) and was
comprised of staff with extensive and varied application development experience
who had a common interest in application security. (Note that this team was
formed 11 years ago and for the most part, is still intact. I was the technical lead
of this group up until about 6 months ago.)

For us, this worked out well. Among the first initiatives of this group
was to build a custom proprietary application security library similar
in intent to ESAPI (although much less ambitious). We also evaluated
several vendor web access management solutions, chose one, and then over
the period of the last 8 or 9 years, integrated that that vendor solution with
close to 250 applications, both internal and external.  For the first several
years, we also offered free consulting to internal development groups.

I think the keys to the team's success in "climbing the wall" was that it was
placed under the IT organization and it was made up of senior developers
who had lots of development experience. (I've always believed it's easier to
teach a good developer about security than it is to teach a security person
about development.) The later was important because they speak the same
lingo as developers and could identify with the obstacles that developers face.
It's not perfect, but it seems to have been relatively successful.

-kevin
---
Kevin W. Wall           CenturyLink / Risk Mgmt / Information Security
Kevin.Wall () qwest com    Phone: 614.215.4788
Blog: http://off-the-wall-security.blogspot.com/
"There are only 10 types of people in the world...those who can count
in binary and those who can't."


________________________________
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________