|
|
|
JIRA RISK workflow handling of 'Risk Fatigue' |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
JIRA RISK workflow handling of 'Risk Fatigue' Par Dinis Cruz BlogLe [2016-03-03] à 10:03:38
Présentation : On a email thread related to Updated JIRA RISK workflow now with a 'Fixing' State , I received this great question I really like the idea of forcing someone to almost sign that they accept the risk. Forces them to really think about it. One thing I'm curious about is whether there is such as thing as risk fatigue like you have monitoring fatigue . So, the first few times you accept risk you do so with a heavy heart, but each time you do it and there are no perceived negative consequences, it gets a little easier. That is until the point when you're completely exposed and something bad does actually happen. Having said that, the alternative of not physically accepting the risk in some way is far worse IMO, and that by using something like Jira you can at least measure the ratio of fixed vs risk accepted over time. Hopefully it moves in the right direction And here is my answer Yes, that 'Risk Accepted' button is the KEY for this workflow, since that needs to be done by the 'business owners' and leaves a trail of responsibility. Once the Risk is accepted by the business owner, that risk a needs to be approved by AppSec CISO b is added to the list of 'accepted risks' of that team, app, product which is distributed every week to multiple parties, including their bosses ... all the way to the CTO The way you deal with Risk Fatigue is to make it very real to them i.e. what this means is that they are accepting risk . And since security issues tend to describe real probs with apps, every now and then, there is a big incident created by one of those issues real attack or murphy , which makes it even more real and injects more energy in fixing them
Les derniers articles du site "Dinis Cruz Blog" :
- Updated version of BSIMM Questions for Teams now will all activities mapped
- First pass at BSIMM questions for teams
- Started working on new book Measuring Software Quality using Application Security
- When talking about Application Security and Software Quality, Pollution is a much better analogy than Technical Debt
- New Era of Software with modern Application Security presentation v1.0
- Simple Threat Model template - Good place to start
- JIRA RISK workflow handling of 'Risk Fatigue'
- Updated JIRA RISK workflow now with a 'Fixing' State
- Presenting at OWASP AppSecEU on Using JIRA to manage Risks and Security Champions activities
- Thinking of writing a book called Measuring Software Quality using Application Security
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
