The Fallacy of Secure Software?

Justin Clarke, lead author of "SQL Injection Attacks and Defense," wrote a guest blog entry for fudsec.com dealing with Software Security. He mentions the two top SecSDLC models, OpenSAMM and BSIMM, and goes on to write:
...what is the activity that both OpenSAMM and BSIMM both consider to be the most important things with developing secure software? Pentesting? Code review?

Nope - it's having someone who is championing and driving software security within the organization. Having a group of folks who are ready and willing to shepherd and drive through all of the various changes to how the organization works over time. These are sometimes (in BSIMM in particular) referred to as the Software Security Group (SSG), and in many cases can be make or break in getting adoption and use of security initiatives within the organization.

After all of that, it turns out the best thing for software security in your organization may well be you...
Note: emphasis kept from the original document.
Src: The Fallacy of Secure Software | fudsec.com

No comments: