hi sc-l, The BSIMM is a sizeable document, so digesting it all at once can be a challenge. My monthly informIT column this month explains the BSIMM in a much easier to digest, shorter form. The article is co-authored by Brian and Sammy.
BSIMM: Confessions of an Alchemist http://www.informit.com/articles/article.aspx?p=1332285 <Dons asbestos suit from the 80s flame wars> We had a great time writing this one. Here is my favorite paragraph (in the science versus alchemy vein): "Both early phases of software security made use of any sort of argument or 'evidence' to bolster the software security message, and that was fine given the starting point. We had lots of examples, plenty of good intuition, and the best of intentions. But now the time has come to put away the bug parade boogeyman, the top 25 tea leaves, black box web app goat sacrifice, and the occult reading of pen testing entrails. The time for science is upon us." John Waters also wrote a nice piece on the BSIMM that appeared today: http://visualstudiomagazine.com/news/article.aspx?editorialsid=10689 To download the complete model, see http://bsi-mm.com gem company www.cigital.com podcast www.cigital.com/silverbullet podcast www.cigital.com/realitycheck blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
