<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3603" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=421051419-04112009><FONT face=Arial
color=#0000ff size=2>Eoin, I think your take on SAMM is interesting. I think the
difference is not to look for evidence but to measure against controls. Auditors
use the notion of controls to figure out good vs bad and is less fluid /
abstract that simply seeking evidence. I wonder if Pravir or others that thought
about expanding SAMM to include audit language.</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> owasp-leaders-bounces@lists.owasp.org
[mailto:owasp-leaders-bounces@lists.owasp.org] <B>On Behalf Of
</B>Eoin<BR><B>Sent:</B> Wednesday, November 04, 2009 11:07 AM<BR><B>To:</B>
owasp-leaders@lists.owasp.org<BR><B>Cc:</B>
sc-l@securecoding.org<BR><B>Subject:</B> Re: [Owasp-leaders] Question on
ISACA<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>Re understanding what secure codeing is:</DIV>
<DIV> </DIV>
<DIV>Taking a look at the OWASP development guides and Code review guide is a
start: The intro sections cover what a secure SDLC whould look like etc.</DIV>
<DIV>Looking at SAMM can indicate what is required also by examining the domains
and mapping onto the SDLC</DIV>
<DIV> </DIV>
<DIV>Re auditing: (it's not just secure coding, its the whole kahuna)</DIV>
<DIV> </DIV>
<DIV>
<DIV>Evidence of developer training is a good start</DIV>
<DIV> </DIV></DIV>
<DIV>Evidence Secure coding guidelines are nice to see, event better if they
have a review history (looked used!). </DIV>
<DIV>A generic secure application development policy could be used which can be
linked to technolofy specific guidelines</DIV>
<DIV> </DIV>
<DIV>Evidence of review and adherence to them.</DIV>
<DIV> </DIV>
<DIV>Evidence of negative testing, negative use cases anti patterns & threat
modeling</DIV>
<DIV> </DIV>
<DIV>but there is more.......</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><BR><BR> </DIV>
<DIV class=gmail_quote>2009/11/4 McGovern, James F. (eBusiness) <SPAN
dir=ltr><<A
href="mailto:James.McGovern@thehartford.com">James.McGovern@thehartford.com</A>></SPAN><BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<P><FONT face=Arial size=2>John Morency of Gartner just finished giving a
presentation to our IT executives and one of the observations is that IT
auditors have zero clue as to how to audit a secure coding practice. IT audit
right now is limited to simply looking at "control" documents and viewing
things through the lens of "infrastructure". Is there something we as a
community should be doing to make auditors smarter?</FONT></P><PRE>************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
</PRE></DIV><BR>_______________________________________________<BR>OWASP-Leaders
mailing list<BR><A
href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</A><BR><A
href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
target=_blank>https://lists.owasp.org/mailman/listinfo/owasp-leaders</A><BR><BR></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR>Eoin Keary<BR><BR>OWASP Code Review Guide Lead
Author<BR>OWASP Ireland Chapter Lead<BR>OWASP Global Committee Member
(Industry)<BR><BR><A href="http://asg.ie/">http://asg.ie/</A><BR><A
href="https://twitter.com/EoinKeary">https://twitter.com/EoinKeary</A><BR><pre>************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
</pre></BODY></HTML>