OWASP DC Roundtable with Boaz Gelbord, Jason Lam, Jim Manico and Jeff Williams
Published November 26, 2009
This podcast is based on the blog post "Overcoming Objections to an Application Security Program" by Jeremiah Grossman at http://jeremiahgrossman.blogspot.com/2009/08/overcoming-objections-to-application.html
- "There have been no security problems in the past, nor is there any evidence we’ll be attacked in the future."
- "Security is an IT problem. They have firewalls, patch & configuration management systems, and SSL currently in place protecting us."
- "We need new features first and there is no discretionary budget left to allocate towards security."
- "Hackers can't break in because our Web application can't be accessed externally."
- "We outsource our software development and the vendor is responsible for making sure the code is secure."
- "We use penetration-testing services. We fix or accept the risk of any issues found, which keeps us safe."
- "We passed our most recent compliance audit and not required to do anything more."
- "We trust our developers and they already know how to develop secure code after completing the training course."
- "We already have scanning tools. Doing more will slow down the development process, inhibit innovation, and add large unnecessary costs."