When all else fails, your need to answer four questions: 1) Is it authorized by the management that answers for the results of processing? 2) How do you know if the processing and resulting data are complete? 3) How do you know the results of processing are accurate? 4) Can the results of transaction processing be traced throughout any part of the application process without omitting or diluting the answers to the previous 3 questions? I have to attribute my answer to Mr. Hugh Hardie of Missasuagua, Ontario, CA, who made a inspired presentation to the Illini Chapter of ISACA very many years ago. I wish that his hunger to inspire others to pursue risks in their IS environment continues. Ed
McGovern, James F (HTSC, IT) wrote: > I was thinking that there is an opportunity for us otherwise lazy > enterprisey types to do our part in order to promote secure coding in an > open source way. Small vendors tend to be filled with lots of folks that > know C, Java and .NET but may not have anyone who knows COBOL. > Minimally, they probably won't have access to a mainframe or a large > code base. > > Being an individual who is savage about being open and participating in > a community, I would like to figure out why my particular call to action > is. What questions should I be asking myself regarding our mainframe, > how to exploit, etc so that I can make this type of knowledge open > source such that all the static analysis tools can start to incorporate? > > > ************************************************************************* > This communication, including attachments, is > for the exclusive use of addressee and may contain proprietary, > confidential and/or privileged information. If you are not the intended > recipient, any use, copying, disclosure, dissemination or distribution is > strictly prohibited. If you are not the intended recipient, please notify > the sender immediately by return e-mail, delete this communication and > destroy all copies. > ************************************************************************* > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
