WebApp Sec: Re: SAS 70 and software policies

[jcglover () telus net]

James:  As a CISSP AND a CISA I can certainly accept and promote that ALL 
software activities that have anything to do with Integity of business systems 
or other information security precepts ABSOLUTELY follow tha same rigour and 
discipline as the SDLC or the SSE-CMM best practices...  

If you are a CISSP there are 35,000 plus colleagues that use a list server for 
resolution of these types of questions.  If you are not, I would be happy to 
post your query on that list server on your behalf.  I expect that there will 
be many points of view on this but they will all address the need for 
consistent discipline across ANY software that either touches the database or 
has Integrity or Confidentiality process rules...  

Kind regards, JohnG
jglover () isc2 org

Quoting James Strassburg <JStrassburg () directs com>:

> My organization is currently preparing for a SAS 70 audit.  We started
> writing web application security standards a while ago.  That got
> extended to a software engineering security policy and that got extended
> to a full software engineering policy covering our entire SDLC.  My
> question is not about web app sec, however, but rather user developed
> macros.  Should user (and by user I mean non-software developer)
> developed macros be subject to the same software lifecycle that our
> production apps would?  If not what about if the macros hit production
> databases or other production network resources?
>
> This is the best channel I can think of for this question so I apologize
> if it is inappropriate.  If anyone knows of a better channel please let
> me know.  thanks.
>
> James A. Strassburg Jr.
> Software Security Architect
> Direct Supply, Inc.