For starters I believe you misinterpreted my comments on QA. I was in no way
slamming
their abilities. With this in mind comments below.
Before anyone talks about vulnerabilities to test for, we have to figure ou=
t what the business cares about and why. What could go wrong? Who cares? Wh=
Hello Andy,
Once an application is released or put into production, what are
organizations doing to keep the applications secure? As new
Some organizations purchase web application security scanners and perform
periodic
scanning (this could be done by the soc) or use a service such as
On Wed, 6 Jun 2007, Wietse Venema wrote:
more and more people, with less and less experience, will be
programming computer systems.
The challenge is to provide environments that allow less experienced
people to program computer systems without introducing gaping
holes or other
Gary, may I suggest an alternative response to application firewalls and the
notion that it is hair-brained? Of course this is true but this list is
missing a major opportunity to finally calculate an ROI model. If you ask
yourself, what types of firewalls are pervasively deployed, you
what do you think? have compliance efforts you know about helped to
forward software security?
Compliance brings accountability. Without accountability or financial impact
people have
little incentive for putting security on the priority list. I for one welcome
our compliance
overlords.
a) the final binaries were the ones infected (very easy to detect (imagine
if the infected code was actually from 'real' SVN source code and made from
a 'trusted' developer))
b) by the speed this was detected the exploit (and the blog page didn't
give a lot of details about it) must have
I'll be there.
- Robert
http://www.cgisecurity.com/
http://www.webappsec.org/
How many of the list members are going to RSA? Any plans to get together for
some coffee?
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List
This is great, and something I have incorporated into our own cycle
previously, as carving out a spot on our team as the security engineer
didn't seem to work. But by creating a process for including security
testing, abuse cases, etc. I was able to incorporate security without a big
hit to
I have released a new document 'Challenges faced by automated web application
security assessment tools' that a few of you
may find interesting.
URL:
http://www.cgisecurity.com/articles/scannerchallenges.shtml
Comments welcome.
- Robert
http://www.cgisecurity.com/ Website Security news,