[SC-L] Book project needs co-author(s)

[Mark Graff]

Hi SC-L folks, 

Ken van Wyk and I (we wrote “Secure Coding”, in 2003) are working on a new 
book. It’s about how software developers and enterprise security specialists 
can work together to help make a business safer.

The project is not moving fast enough for us, so we’d like to take on one or 
two co-authors.

If you would like to be considered, please email me at “coding-authors at 
vanwyk dot org”. (A one-sentence expression of interest would be fine.) I will 
reply promptly with more information about the project and a list of things 
about you we will want to know. Our deadline for these inquiries is Sunday, 
March 13th.

We would prefer co-authors with a successful track record, but previously 
published books or papers are not a prerequisite. We do require substantial 
experience in at least one of the two disciplines—software development or 
enterprise security—and the ability to express oneself clearly in business 
English. Oh, and you will need lots of time, this year.

1. We are looking for full co-authors, so please don’t offer to write or code 
for a fee.

2. Feel free to forward this announcement to any individual (not a list).

3. Our publisher would need to approve your participation.

 Serious inquiries only, please.

-mg-___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] Application Security Debt and Application Interest Rates

[Chris Wysopal]

Once you have a model and some rough data sources you can iterate and attempt 
precision that is useable.  I agree that the precision isn't there yet (my 
scientific way of saying "smoke and mirrors") but I won't rule out that this 
can get good enough to be used for decision making.

There are decisions being made on app sec spending but it is ad hoc right now. 
Organizations are spending money of app sec and they are also spending money on 
cleaning up breaches.  They do think about reducing breach costs to the 
organization. This model can help them do that.

-Chris 

-Original Message-
From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On 
Behalf Of Johan Peeters
Sent: Sunday, March 06, 2011 12:53 PM
To: SC-L@securecoding.org
Subject: Re: [SC-L] Application Security Debt and Application Interest Rates

Security debt seems to me a very useful concept. Thanks, Chris.
As I pointed out in my blog post
(http://www.artima.com/weblogs/viewpost.jsp?thread=320875), I do not believe in 
quantitative models though. Clearly, it is interesting to try to nail the 
factors that contribute to the cost and to establish whether it is cheaper to 
pay back or service the debt, but to put numbers on these costs is smoke and 
mirrors imho.

kr,

Yo

On Sun, Mar 6, 2011 at 6:19 PM, Sammy Migues  wrote:
> Just in case others have missed it, there’s a response from Russell 
> Thomas on the New School blog at 
> http://newschoolsecurity.com/2011/03/fixes-to-wysophal’s-application-security-debt-metric/.
>
>
>
>
>
>
>
> From: sc-l-boun...@securecoding.org 
> [mailto:sc-l-boun...@securecoding.org]
> On Behalf Of Chris Wysopal
> Sent: Friday, March 04, 2011 7:38 PM
> To: SC-L@securecoding.org
> Subject: [SC-L] Application Security Debt and Application Interest 
> Rates
>
>
>
>
>
> I have a couple of blog posts modeling application vulnerabilities the 
> way you might think of technical debt.
>
>
>
> Part I: Application Security Debt and Application Interest Rates
>
> http://www.veracode.com/blog/2011/02/application-security-debt-and-app
> lication-interest-rates/
>
>
>
> Part II: A Financial Model for Application Security Debt
>
> http://www.veracode.com/blog/2011/03/a-financial-model-for-application
> -security-debt/
>
>
>
> -Chris
>
>
>
> ___
> Secure Coding mailing list (SC-L) SC-L@securecoding.org List 
> information, subscriptions, etc - 
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - 
> http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC 
> (http://www.KRvW.com) as a free, non-commercial service to the software 
> security community.
> Follow KRvW Associates on Twitter at: 
> http://twitter.com/KRvW_Associates
> ___
>
>



--
Johan Peeters
http://johanpeeters.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, 
subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a 
free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___