On Wed, Feb 4, 2009 at 7:26 PM, Paco Hope wrote:
>
> Andy also said "I think we lose something when we start saying 'everything
> is
> relative.'" I think we lose something more important if we try to impose
> abolutes: we lose the connection to the business. No business operates on
> absolutes a
> For starters I believe you misinterpreted my comments on QA. I was in
> no way slamming their abilities. With this in mind comments below.
Sorry about that. I am sensitive to the bias. I went to a very small company
once (10 people total) and as I looked around I saw offices with big LCDs (I
ass
On Wed, Feb 4, 2009 at 11:17 AM, Paco Hope wrote:
> Before anyone talks about vulnerabilities to test for, we have to figure
> out what the business cares about and why. What could go wrong? Who cares?
> What would the impact be? Answers to those questions drive our testing
> strategy, and ultim
For starters I believe you misinterpreted my comments on QA. I was in no way
slamming
their abilities. With this in mind comments below.
> Before anyone talks about vulnerabilities to test for, we have to figure ou=
> t what the business cares about and why. What could go wrong? Who cares? Wh=
>
All,
I just read Robert's blog entry about "re-aligning training expectations for
QA." (http://bit.ly/157Pc3) It has some useful points that both developers and
so-called "security people" need to hear. I disagree with some implicit biases,
however, and I think we need to get past some stereoty
Sent: Wednesday, February 04, 2009 1:18 PM
To: SC-L@securecoding.org
Subject: Re: [SC-L] Security in QA is more than exploits
All,
I just read Robert's blog entry about "re-aligning training expectations for
QA." (http://bit.ly/157Pc3) It has some useful points that both developers and
so