So-so SASO … So What?

A couple of days ago, I happened across Oracle CISO Mary Ann Davidson’s August 24, 2011 blog, “Those Who Can’t Do, Audit” at and began writing a column about Davidson’s blog. Then I was pointed to Veracode’s Chris Wysopal’s response “Musings on Custer’s Last Stand” at  by an email from Tom Brennan of OWASP. The result was that I thought I should begin again and include the points and counterpoints of Davidson and Wysopal.

Their interchange put me into something of a dilemma since I know both Mary Ann and Chris personally and greatly respect and admire them both for their knowledge and achievements. That being said, my first response to the Davidson blog was that Mary Ann is touting the Oracle party line again. It would be difficult for her not to, since Mary Ann’s world is a huge and wealthy software development shop. But the rest of the world, except perhaps for a few big names, is not like that at all. The rest of the world doesn’t generally have large in-house software assurance capabilities and so the same rules don’t usually apply. I know from my own experience that even companies with large application development staffs in the hundreds of developers, are not able to justify retaining in-house the necessary number of employees with the requisite expertise. And, even if they could afford such a group, it is likely that the staff would not be fully occupied. In fact, I have been a strong proponent of going out and engaging experienced application security experts, in particular, as well as having some third-party assurance of security of acquired software products… the U.S. government and financial services regulators demand it.

Post a Comment

Your email is never published nor shared. Required fields are marked *