James: As a CISSP AND a CISA I can certainly accept and promote that ALL
software activities that have anything to do with Integity of business systems
or other information security precepts ABSOLUTELY follow tha same rigour and
discipline as the SDLC or the SSE-CMM best practices...
If you are a CISSP there are 35,000 plus colleagues that use a list server for
resolution of these types of questions. If you are not, I would be happy to
post your query on that list server on your behalf. I expect that there will
be many points of view on this but they will all address the need for
consistent discipline across ANY software that either touches the database or
has Integrity or Confidentiality process rules...
Kind regards, JohnG
jglover_at_isc2.org
Quoting James Strassburg <JStrassburg_at_directs.com>:
> My organization is currently preparing for a SAS 70 audit. We started
> writing web application security standards a while ago. That got
> extended to a software engineering security policy and that got extended
> to a full software engineering policy covering our entire SDLC. My
> question is not about web app sec, however, but rather user developed
> macros. Should user (and by user I mean non-software developer)
> developed macros be subject to the same software lifecycle that our
> production apps would? If not what about if the macros hit production
> databases or other production network resources?
>
> This is the best channel I can think of for this question so I apologize
> if it is inappropriate. If anyone knows of a better channel please let
> me know. thanks.
>
> James A. Strassburg Jr.
> Software Security Architect
> Direct Supply, Inc.
>
>
Received on Oct 02 2005
Intro
