> Gary, may I suggest an alternative response to application firewalls and the
> notion that it is hair-brained? Of course this is true but this list is
> missing a major opportunity to finally calculate an ROI model. If you ask
> yourself, what types of firewalls are pervasively deployed, you w
On 4/4/07, J. M. Seitz <[EMAIL PROTECTED]> wrote:
From secure coding practice in development, proper QA cycle and
regression testing, deployment security touchpoints, and finally adding
the
extra layer on the top is putting application layer firewalls in place,
which if we ever have a 0-day styl
> For many shops, having another type of firewall could cost
> millions whereas putting tools in the hands of developers may
> actually be cheaper. We as a community may be better served
> by encouraging application firewalls and letting the
> financial model for complying work in our favor...
ing work in our favor...
-Original Message-
From: Gary McGraw [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 04, 2007 10:01 AM
To: McGovern, James F (HTSC, IT); SC-L@securecoding.org
Subject: RE: [SC-L] Darkreading: compliance
Hi all,
Another big momentum machine for software sec
es F (HTSC, IT) [mailto:[EMAIL PROTECTED]
Sent: Mon Apr 02 11:15:49 2007
To: SC-L@securecoding.org
Subject: [SC-L] Darkreading: compliance
SoX has done a wonderful job of getting enterprises to embrace the notion of
holistic identity and access management which wasn't occuring
SoX has done a wonderful job of getting enterprises to embrace the notion of
holistic identity and access management which wasn't occuring prior to it. It
would be interesting to hear from folks here what other enterprise initiatives
do you think that should be on the radar of large enterprises.
At 9:29 AM -0400 3/30/07, Benjamin Tomhave wrote:
> SOX has been a complete waste, imo. First, the majority of it was already
> covered in existing law. Second, it really has nothing to do with security
> from a practical standpoint. The only purpose SOX has served is to give
> auditors another
ivilization."
-President Franklin Delano Roosevelt
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Gary McGraw
> Sent: Monday, March 12, 2007 4:53 PM
> To: SC-L@securecoding.org
> Subject: [SC-L] Darkreading: compliance
>
t
blog www.cigital.com/justiceleague
book www.swsec.com.
-Original Message-
From: Bruce Ediger [mailto:[EMAIL PROTECTED]
Sent: Tue Mar 13 12:10:42 2007
To:
Cc: SC-L@securecoding.org
Subject: Re: [SC-L] Darkreading: compliance
On Tue, 13 Mar 2007, somebody wrote (attri
www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com.
-Original Message-
From: Bruce Ediger [mailto:[EMAIL PROTECTED]
Sent: Tue Mar 13 12:10:42 2007
To:
Cc: SC-L@securecoding.org
Subject: Re: [SC-L] Darkreading: compliance
On Tue, 13 Mar
On Tue, 13 Mar 2007, somebody wrote (attribution isn't clear to me):
> no. my feeling is that it focuses management on unimportant things like
> meeting checkpoints rather then actually doing useful things.
I heartily agree. "Compliance" almost always becomes (in the worst sense
of the word) a ma
On Tue, 13 Mar 2007, Michael Silk wrote:
> no. my feeling is that it focuses management on unimportant things like
> meeting checkpoints rather then actually doing useful things.
While I understand the sentiment, one thing I don't know is: how could
you measure "doing useful things" in any repe
> what do you think? have compliance efforts you know about helped to
> forward software security?
Compliance brings accountability. Without accountability or financial impact
people have
little incentive for putting security on the priority list. I for one welcome
our compliance
overlords.
R
On 3/13/07, Gary McGraw <[EMAIL PROTECTED]> wrote:
hi sc-l,
this month's darkreading column is about compliance. my own belief is
that compliance has really helped move software security forward. in
particular, sox and pci have been a boon:
http://www.darkreading.com/document.asp?doc_id=1191
Maybe it depends on the vertical? What vertical(s) did you find it a
distraction in?
gem
-Original Message-
From: Michael Silk [mailto:[EMAIL PROTECTED]
Sent: Mon Mar 12 17:34:56 2007
To: Gary McGraw
Cc: SC-L@securecoding.org
Subject:Re: [SC-L] Darkreading
hi sc-l,
this month's darkreading column is about compliance. my own belief is
that compliance has really helped move software security forward. in
particular, sox and pci have been a boon:
http://www.darkreading.com/document.asp?doc_id=119163
what do you think? have compliance efforts you kn
16 matches
Mail list logo