>I for one am pretty satisfied with the rate at which things are
>progressing
I dunno...
Again, trying to keep it pithy: I for one welcome our eventual new [insert
hostile nation state here] overlords.
What I see from my vantage point is a majority of people who (1)should know
better given thei
> But the vast majority of clients I work with don't have the time or need
or ability to take advantage of BSIMM
Mike's Top 5 Web Application Security Countermeasures:
1. Add a security guy or gal who has a software development background to
your application's software development team.
2. Turn
Fun article. To try to be equally pithy in my response: the article reads to
me like a high-tech, application security-specific form of McCarthyism.
To explain...
The amount of reinvention and discussion about the problems in this space is
spectacular.
If one has something to start from which on
> we start to create standards for how Security Controls should behave [and
basically the rest of the post]
I submit ASVS for your consideration. If one is further concerned about
building blocks in the environment, check out Common Criteria and FIPS
140-2.
Also,
There have also been discussions
eat modeling, static code analysis, dynamic
> analysis, etc. aren’t concepts that apply to, or only work in large orgs,
> and certainly aren’t proprietary to Microsoft.
>
>
>
> Dave
>
>
>
> *From:* Mike Boberski [mailto:mike.bober...@gmail.com]
> *Sent:* Monday, Dec
the extent
> possible, then advise/adjudicate as necessary for situations that don’t fit
> the norm.
>
>
>
> Dave
>
>
>
> *From:* Mike Boberski [mailto:mike.bober...@gmail.com]
> *Sent:* Monday, December 21, 2009 5:22 PM
> *To:* Gary McGraw
> *Cc:* David
SSG a "committee" is pretty hilarious. I doubt any of the 100
> microsoft SSG members think they are a committee. Hey ladd, how goes the SDL
> committee?
>
> gem
>
> --
> *From*: Mike Boberski
> *To*: Gary McGraw
> *Cc*: Secure Cod
Hi Gary.
To play devil's advocate:
Current organizational practices aside, I would say that organizations
really need more and better toolkits and standards for developers to use,
than they need more and better committees.
A toolkit example that comes to mind, to keep this email short: the
highl