Re: How have you climbed the wall?

[Rohit Sethi <rklists () gmail com>]

Kevin, that's fantastic insight. If you convert it to a blog posting I'll
add a link to it

On Thu, Jul 28, 2011 at 1:01 PM, Wall, Kevin <Kevin.Wall () qwest com> wrote:

>  Rohit Sethi wrote:****
>
> ** **
>
> > Recently I sent a note about the Organic Progression of the Secure SDLC.
> ****
>
> > One of the major points that we raise in that model is the difficulty
> with****
>
> > "Climbing the Wall": Getting the lines of business to commit resource***
> *
>
> > to application/software security. This is one of the most fundamental***
> *
>
> > challenges in building a secure SDLC.****
>
> > ** **
>
> > We offer some simple high level thoughts and a PPT deck you can use here:
> ****
>
> >
> http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cycle-9-steps/how-climb-wall/
> ****
>
> > ****
>
> > I'm curious to see what others have  have done / seen to climb the****
>
> > wall effectively****
>
> ** **
>
> I can't speak for others--although I think that the BSIMM data bears this*
> ***
>
> out--is that our company formed a separate Application Security team. This
> team****
>
> was placed within the IT organization (vs. under Risk Management) and was*
> ***
>
> comprised of staff with extensive and varied application development
> experience****
>
> who had a common interest in application security. (Note that this team was
> ****
>
> formed 11 years ago and for the most part, is still intact. I was the
> technical lead****
>
> of this group up until about 6 months ago.)****
>
> ** **
>
> For us, this worked out well. Among the first initiatives of this group***
> *
>
> was to build a custom proprietary application security library similar****
>
> in intent to ESAPI (although much less ambitious). We also evaluated****
>
> several vendor web access management solutions, chose one, and then over**
> **
>
> the period of the last 8 or 9 years, integrated that that vendor solution
> with****
>
> close to 250 applications, both internal and external.  For the first
> several****
>
> years, we also offered free consulting to internal development groups.****
>
> ** **
>
> I think the keys to the team’s success in "climbing the wall" was that it
> was****
>
> placed under the IT organization and it was made up of senior developers**
> **
>
> who had lots of development experience. (I’ve always believed it’s easier
> to****
>
> teach a good developer about security than it is to teach a security person
> ****
>
> about development.) The later was important because they speak the same***
> *
>
> lingo as developers and could identify with the obstacles that developers
> face.****
>
> It’s not perfect, but it seems to have been relatively successful.****
>
> ** **
>
> -kevin****
>
> ---
> Kevin W. Wall           CenturyLink / Risk Mgmt / Information Security
> Kevin.Wall () qwest com    Phone: 614.215.4788****
>
> Blog: http://off-the-wall-security.blogspot.com/****
>
> "There are only 10 types of people in the world...those who can count****
>
> in binary and those who can't."****
>
> ** **
>
> ------------------------------
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful. If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.



-- 
Rohit Sethi
SD Elements
http://www.sdelements.com
twitter: rksethi

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________