Pride of ownership may very well be the reason for lack of adequate QC and
Security control but my take is that it might have something to do with
security professionals not doing a good enough job of selling the value of
security in the SDLC. If the decision makers could be educated on the
contractual and regulatory obligations for secure coding (think PCI and
SOX), coupled with meaningful deliverables (no Nessus or Webinspect scan
reports w/tons of false positives), we might begin to see greater support
for inviting security pros to inception of project rather than remaining as
an afterthought, when the application has already been released to
production.
Security, privacy, compliance requirements have to be built into the product
lifecycle from the beginning (I know. I'm preaching to the choir) and it has
to be based on sound risk management principles, taxonomy, and jargon that
can be understood by the business. How else do we expect to get buy in to
our sell.
Just my 2 cents.
--------------------------------------------------
From: "Robert Hajime Lanning" <robert.lanning (at) gmail (dot) com [email concealed]>
Sent: Sunday, November 02, 2008 11:24 AM
To: "Security Basics" <security-basics (at) securityfocus (dot) com [email concealed]>; "Web Application
Security" <webappsec (at) securityfocus (dot) com [email concealed]>
Subject: Re: A Question of Quality
> On Thu, Oct 30, 2008 at 4:55 PM, Yousef Syed <yousef.syed (at) gmail (dot) com [email concealed]>
> wrote:
>> Why isn't Quality Assumed?
>> Why isn't Security Assumed?
>> Why are these concepts thought of as add ons to Applications and
>> Services?
>>
>> Why do they need to be specified, when they should be taken for granted?
>> - Input Validation
>> - Boundary Conditions
>> - Encrypt Data as necessary
>> - Least Privilege Access
>> - White lists are better than Black lists
>
> I believe one of the issues is, pride of ownership in the end product.
>
> A lot of the coding is now outsourced to cheap code houses. These people
> do not have ownership or attribution. They have no reason to take any
> extra
> steps, that are not specified in the contract. If it is not in the
> contract, they
> are not being paid for it.
>
> It's like a building contractor. If it is not in the blue prints, it
> does not go into
> the finished building. That is why a building spec is a thick book, that
> goes
> all the way to specifying the exact screw to use.
>
> --
> And, did Galoka think the Ulus were too ugly to save?
> -Centauri
>
> ------------------------------------------------------------------------
-
> Sponsored by: Watchfire
> Methodologies & Tools for Web Application Security Assessment
> With the rapid rise in the number and types of security threats, web
> application security assessments should be considered a crucial phase in
> the development of any web application. What methodology should be
> followed? What tools can accelerate the assessment process? Download this
> Whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
------------------------------------------------------------------------
-
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
Security control but my take is that it might have something to do with
security professionals not doing a good enough job of selling the value of
security in the SDLC. If the decision makers could be educated on the
contractual and regulatory obligations for secure coding (think PCI and
SOX), coupled with meaningful deliverables (no Nessus or Webinspect scan
reports w/tons of false positives), we might begin to see greater support
for inviting security pros to inception of project rather than remaining as
an afterthought, when the application has already been released to
production.
Security, privacy, compliance requirements have to be built into the product
lifecycle from the beginning (I know. I'm preaching to the choir) and it has
to be based on sound risk management principles, taxonomy, and jargon that
can be understood by the business. How else do we expect to get buy in to
our sell.
Just my 2 cents.
--------------------------------------------------
From: "Robert Hajime Lanning" <robert.lanning (at) gmail (dot) com [email concealed]>
Sent: Sunday, November 02, 2008 11:24 AM
To: "Security Basics" <security-basics (at) securityfocus (dot) com [email concealed]>; "Web Application
Security" <webappsec (at) securityfocus (dot) com [email concealed]>
Subject: Re: A Question of Quality
> On Thu, Oct 30, 2008 at 4:55 PM, Yousef Syed <yousef.syed (at) gmail (dot) com [email concealed]>
> wrote:
>> Why isn't Quality Assumed?
>> Why isn't Security Assumed?
>> Why are these concepts thought of as add ons to Applications and
>> Services?
>>
>> Why do they need to be specified, when they should be taken for granted?
>> - Input Validation
>> - Boundary Conditions
>> - Encrypt Data as necessary
>> - Least Privilege Access
>> - White lists are better than Black lists
>
> I believe one of the issues is, pride of ownership in the end product.
>
> A lot of the coding is now outsourced to cheap code houses. These people
> do not have ownership or attribution. They have no reason to take any
> extra
> steps, that are not specified in the contract. If it is not in the
> contract, they
> are not being paid for it.
>
> It's like a building contractor. If it is not in the blue prints, it
> does not go into
> the finished building. That is why a building spec is a thick book, that
> goes
> all the way to specifying the exact screw to use.
>
> --
> And, did Galoka think the Ulus were too ugly to save?
> -Centauri
>
> ------------------------------------------------------------------------
-
> Sponsored by: Watchfire
> Methodologies & Tools for Web Application Security Assessment
> With the rapid rise in the number and types of security threats, web
> application security assessments should be considered a crucial phase in
> the development of any web application. What methodology should be
> followed? What tools can accelerate the assessment process? Download this
> Whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> ------------------------------------------------------------------------
-
>
>
------------------------------------------------------------------------
-
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
------------------------------------------------------------------------
-
[ reply ]