Company Blog
A Mini-Architecture for Security Guidance
Benjamin Tomhave wrote about “tiering” security guidance when I cross-posted a comment to my last blog entry on the SC-L mailing list. Quoting him: The higher up you are in the policy framework, the more general and time-enduring the content should be. The farther you progress down the framework to a more detailed level, the [...]
SDLC on the shoulders of giants
Software security veterans have all certainly thought about the idea of ‘securing the SDLC’… I can tell because every consulting firm’s collateral that I’ve seen in the past year has a new bullet under their ‘services’ section referring to something like ‘Secure development process integration’ or ‘Secure SDLC services’. That being said, let’s talk about [...]
How to Write Good Security Guidance
The process of writing security guidance is just as important to the quality of the resulting standards as is the target: technology-specific, code-centric constructive statements. How do you succeed? By using the same muscles you exercise when you conduct secure design. When I write Security guidance, such as the technology-specific standards I blogged about last [...]
Security Guidance and its “Specificity Knob???
While speaking at a conference out west an interested attendee challenged me: “You said I should make my security standards as specific as possible, but the other speaker said, ‘Keep them general’, what gives???? This type of exchange happens all too often in the software security space these days. I could do a piece on [...]
The Inevitability of DIY
In the course of my career I have been involved in a fair number of startups. I’ve had pretty good luck, and most of them have been successful. One, however, was a complete failure. I refer to that experience as my DIY MBA. You can learn more from failure than you can from success. It [...]
