The Art of Scoping Application Security Reviews (Part 1) - The Business ォ Mark Curphey - SecurityBuddha.com
Mark Curphys starting a series of posts on application security review scoping, which should be interesting reading (although I imagine it may annoy some people in the industry ;o) )
In this one looking at the business aspects I particularly liked the bit about "Bling Bling or Bang Bang" It's true to say that in a lot of cases the money spent getting consultants to write up reports could be better spent elsewhere, especially in cases where an internal team will be refomatting the output before presenting it to the business.
Also like some other people in the industry (Marcus Ranum being an example) Mark seems to have a flair for analogies. drawing the analogy from security assessment companies to the food industry was in many ways bang on.
There are "Chefs" out there, where you specifically want their services, not just those of the company they work for. That said I'm not sure any of the companies out there will want to be associated with being "food chains" !


raesene

Security Geek, Kubernetes, Docker, Ruby, Hillwalking