Hi,
I know exactly how you (and they) feel.
Convince them that peer code reviews and group code reviews are a
standard part of the development process today and they should be doing
this themselves for every project - at least for the critical modules.
Once that happens then when you show up it will be far less foreign and
scary!
Thanks
Derek
____________________________
Derek Browne, CISSP derek.browne@emergis.com
Senior Security Consultant, CISO
BCE Emergis 905-707-4001 x4787
NOTICE : This e-mail is confidential, privileged and intended for the
exclusive use of the addressee. Any other person is strictly prohibited
from disclosing, distributing or reproducing it. If you have received
this e-mail by mistake, please notify us immediately by telephone and
delete all copies
-----Original Message-----
From: Yvan Boily [mailto:yboily@seccuris.com]
Sent: Monday, August 30, 2004 1:45 PM
To: secprog@securityfocus.org
Subject: "Selling" a code-audit.
One of my primary responsibilities with my employer is performing code
audits; so far I have been fairly effective in a technical capacity,
however on almost every single code audit I have participated in I have
received hostile responses from the development team. I have tried a
variety of approaches to develop a stronger rapport with the development
team, however in spite of my best efforts I find that going into a code
audit I am already fighting against preconceptions about why the code
audit is being performed.
I understand that many people feel threatened when work they have done
is criticized; what I need to know is how I can minimize this and coax
the development teams into being more interactive than defensive. Any
pointers?
Yvan Boily
