In terms of creating a SDLC, pop out to Borders and get Howard and Lipner¹s ³The Security Development Lifecycle² ISBN 9780735622142
http://www.microsoft.com/mspress/books/8753.aspx It is simply the best text I¹ve read in a long time. You may be interested in the work Mark Curphey et al is doing at his new start up. They launched an ISM portal a couple of weeks back. http://www.ism-community.org/ If you¹re just after ideas on how to engage vendors, check out Curphey¹s blog for some nice insider posts: http://securitybuddha.com/2007/03/07/top-10-tips-for-hiring-web-application- pen-testers/ http://securitybuddha.com/2007/03/07/top-ten-tips-for-hiring-security-code-r eviewers/ http://securitybuddha.com/2007/03/08/top-ten-tips-for-managing-technical-sec urity-folks/ He ran Foundstone¹s services for a while, and built up a pretty good consultancy. The sort of metrics you¹re after are notoriously hard to find out in the wild. There¹s some folks capturing screenshots of enterprise dashboards. This may or may not help at all. http://dashboardspy.com/ Thanks, Andrew On 3/19/07 4:12 PM, "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> wrote: > I agree with your assessment of how things are sold at a high-level but still > struggling in that it takes more than just graphicalizing of your points to > sell, hence I am still attempting to figure out a way to get my hands on some > PPT that are used internal to enterprises prior to consulting engagements and > I think a better answer will emerge. PPT may provide a sense of budget, > timelines, roles and responsibilities, who needed to buy-in, industry metrics, > quotes from noted industry analysts, etc that will help shortcut my own work > so I can start moving towards the more important stuff. >> >> -----Original Message----- >> From: Andrew van der Stock [mailto:[EMAIL PROTECTED] >> Sent: Monday, March 19, 2007 2:50 PM >> To: McGovern, James F (HTSC, IT) >> Cc: SC-L >> Subject: Re: [SC-L] How is secure coding sold within enterprises? >> >> There are two major methods: >> >> >> 1. Opportunity cost / competitive advantage (the Microsoft model) >> 2. Recovery cost reductions (the model used by most financial institutions) >> >> Generally, opportunity cost is where an organization can further its goals >> by a secure business foundation. This requires the CIO/CSO to be able to >> sell the business on this model, which is hard when it is clear that many >> businesses have been founded on insecure foundations and do quite well >> nonetheless. Companies that choose to be secure have a competitive >> advantage, an advantage that will increase over time and will win conquest >> customers. For example (and this is my humble opinion), Oracle¹s security is >> a long standing unbreakable joke, and in the meantime MS ploughed billions >> into fixing their tattered reputation by making it a competitive advantage, >> and thus making their market dominance nearly complete. Oracle is now paying >> for their CSO¹s mistake in not understanding this model earlier. Forward >> looking financial institutions are now using this model, such as my old >> bank¹s (with its SMS transaction authentication feature) winning many new >> customers by not only promoting themselves as secure, but doing the right >> thing and investing in essentially eliminating Internet Banking fraud. It >> saves them money, and it works well for customers. This is the best model, >> but the hardest to sell. >> >> The second model is used by most financial institutions. They are mature >> risk managers and understand that a certain level of risk must be taken in >> return for doing business. By choosing to invest some of the potential or >> known losses in reducing the potential for massive losses, they can reduce >> the overall risk present in the corporate risk register, which plays well to >> shareholders. For example, if you invest $1m in securing a cheque clearance >> process worth (say) $10b annually to the business, and that reduces check >> fraud by $5m per year and eliminates $2m of unnecessary overhead every year, >> security is an easy sell with obvious targets to improve profitability. A >> well managed operational risk group will easily identify the riskiest >> aspects of a mature company¹s activities, and it¹s easy to justify >> improvements in those areas. >> >> The FUD model (used by many vendors - ³do this or the SOX boogeyman will get >> you²) does not work. >> >> The do nothing model (used by nearly everyone who doesn¹t fall into the >> first two categories) works for a time, but can spectacularly end a >> business. Card Systems anyone? Unknown risk is too risky a proposition, and >> is plain director negligence in my view. >> >> Thanks, >> Andrew >> >> >> On 3/19/07 11:35 AM, "McGovern, James F (HTSC, IT)" >> <[EMAIL PROTECTED]> wrote: >> >> >>> I am attempting to figure out how other Fortune enterprises have went about >>> selling the need for secure coding practices and can't seem to find the >>> answer I seek. Essentially, I have discovered that one of a few scenarios >>> exist (a) the leadership chain was highly technical and intuitively >>> understood the need (b) the primary business model of the enterprise is >>> either banking, investments, etc where the risk is perceived higher if it >>> is not performed (c) it was strongly encouraged by a member of a very large >>> consulting firm (e.g. McKinsey, Accenture, etc). >>> >>> I would like to understand what does the Powerpoint deck that employees of >>> Fortune enterprises use to sell the concept PRIOR to bringing in >>> consultants and vendors to help them fulfill the need. Has anyone ran >>> across any PPT that best outlines this for demographics where the need is >>> real but considered less important than other intiatives? >>> >>> >>> ************************************************************************* >>> This communication, including attachments, is >>> for the exclusive use of addressee and may contain proprietary, >>> confidential and/or privileged information. If you are not the intended >>> recipient, any use, copying, disclosure, dissemination or distribution is >>> strictly prohibited. If you are not the intended recipient, please notify >>> the sender immediately by return e-mail, delete this communication and >>> destroy all copies. >>> ************************************************************************* >>> >>> >>> >>> _______________________________________________ >>> Secure Coding mailing list (SC-L) SC-L@securecoding.org >>> List information, subscriptions, etc - >>> http://krvw.com/mailman/listinfo/sc-l >>> List charter available at - http://www.securecoding.org/list/charter.php >>> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >>> as a free, non-commercial service to the software security community. >>> _______________________________________________ >> > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
