Comments for Software Secured Blog

Comment on About Me by The Evince Blog » Blog Archive » Don’t forget to Check Out the Events Hosted by HTCIA-Ottawa

Mon, 05 Jul 2010 14:53:11 +0000

[...] Despite taking a hiatus from our regular program, the HTCIA is holding Birds of a Feather (BOF) formatted events over the summer, including a discussion on Social Media attacks on July 13, 2010. This will be hosted by Sherif Koussa. [...]

Comment on How to Know Whether You Need Security Help by Bev

Bev — Tue, 08 Jun 2010 12:44:18 +0000

Love the analogy Sherif! They’re always an excellent way of helping the reader understand the msg. And it worked for me. Security on the internet has always been a concern of mine but wasn’t 100% sure where to start until now

Thanks Sherif.

Comment on Software security awareness has to start from the bottom up by Bruce

Bruce — Fri, 21 May 2010 08:22:04 +0000

I completely agree that Software Developers need to be onboard. It is the developers that must understand security and be onboard right from the first lines of code. Security must be built in, it can’t be “sold” after the fact.

Comment on Great Software Developers Strategy to Exodus by Sherif Koussa

Sherif Koussa — Mon, 03 May 2010 14:25:53 +0000

Bev, totally agree. I have been thinking about this for a couple of days. How would companies reverse the situation? How can software companies make their employees happy? Two things:
- Make sure the right employees are on
- Over deliver to them the same way you over deliver to your customers

Think Google, FogCreek, Apple….etc

Comment on Great Software Developers Strategy to Exodus by Bev

Bev — Tue, 27 Apr 2010 12:15:34 +0000

Sherif, ever heard of the expression, “The squeaky wheel gets the grease”? In most of my work career, that has been so true when it comes to employees. Those that speak the loudest, get what they want. This is not always the case thou. I believe it depends on the company.

Unfortunately, I believe it is reality that management is very busy trying to either stay afloat or grow the company. They don’t have time to notice the subtle messages that employees are sending. Especially if they appear even somewhat happy and productive.

If anyone has children or is around children, this is often the same. Unless the child speaks up, you assume everything is fine with them until one day when you find out it is too late.

Comment on SANS Mentor Developer 541: Secure Coding in Java/JEE: Developing Defensible Applications by Source Code Driven Security Assessment | Software Secured Blog

Source Code Driven Security Assessment | Software Secured Blog — Wed, 17 Mar 2010 01:44:21 +0000

[...] Training: deliver the best security development training of its kind to your J2EE or .NET [...]

Comment on Why You Should Re-consider Custom Error Pages by Lazy programmer’s guide to web.xml security review | Software Secured Blog

Mon, 15 Mar 2010 16:59:30 +0000

[...] in web.xml in my opinion is the most underutilized safety net in J2EE applications. You need to change how you think about custom error pages. Think of them as your safety net, what keeps you in control even when you screw up as a developer [...]

Comment on Software security awareness has to start from the bottom up by Sherif Koussa

Sherif Koussa — Wed, 24 Feb 2010 01:26:52 +0000

@Mark Agree with you, I think there will always be a need for some aiding tools for assurance for the most part but it wouldn’t be a substitute for the built-in security.

Comment on Software security awareness has to start from the bottom up by MarkH

MarkH — Wed, 24 Feb 2010 01:15:35 +0000

Comment on Software security awareness has to start from the bottom up by DCochran at SCIPP International dot org

DCochran at SCIPP International dot org — Tue, 23 Feb 2010 21:19:17 +0000

We are finally seeing the concept of the mentor / protege pay off after extensive marketing efforts to Sr. Developers. We offer an ANSI accredited on-line course which covers the principles of secure coding practices. It is not a hard-core training course, but an awareness course focused at anyone who is involved in the SDLC process – from the Procurement Officer to the hands-on coder.

We tried every avenue we could think of i.e. the Compliance Officer, the Security Officer, H/R, Training Managers, CIO’s everything…..then we realized just as you did – awareness must start at the Developer level and work its way up.

Once we realized this and properly addressed the need for the Sr. Developer to ensure that everyone who has a stake in the SDLC, and especially the more junior programmers / developers have an awareness of the basics – we have seen a couple hundred percent increase in people taking our training and getting certified.