WebApp Sec mailing list archives
Re: SAS 70 and software policies
From: jcglover () telus net
Date: Sat, 1 Oct 2005 01:07:06 -0700
James: As a CISSP AND a CISA I can certainly accept and promote that ALL software activities that have anything to do with Integity of business systems or other information security precepts ABSOLUTELY follow tha same rigour and discipline as the SDLC or the SSE-CMM best practices... If you are a CISSP there are 35,000 plus colleagues that use a list server for resolution of these types of questions. If you are not, I would be happy to post your query on that list server on your behalf. I expect that there will be many points of view on this but they will all address the need for consistent discipline across ANY software that either touches the database or has Integrity or Confidentiality process rules... Kind regards, JohnG jglover () isc2 org Quoting James Strassburg <JStrassburg () directs com>:
My organization is currently preparing for a SAS 70 audit. We started writing web application security standards a while ago. That got extended to a software engineering security policy and that got extended to a full software engineering policy covering our entire SDLC. My question is not about web app sec, however, but rather user developed macros. Should user (and by user I mean non-software developer) developed macros be subject to the same software lifecycle that our production apps would? If not what about if the macros hit production databases or other production network resources? This is the best channel I can think of for this question so I apologize if it is inappropriate. If anyone knows of a better channel please let me know. thanks. James A. Strassburg Jr. Software Security Architect Direct Supply, Inc.
Current thread:
- Re: SAS 70 and software policies jcglover (Oct 02)
- <Possible follow-ups>
- RE: SAS 70 and software policies Rosado, Rafael (Rafael) (Oct 02)