hi sc-l, In November we held a BSIMM Community Conference which 20 of the 32 BSIMM2 participating firms attended (see http://bsimm.com). The conference was fantastic <http://www.cigital.com/justiceleague/2010/11/12/bsimm-community-conference/>. During the conference we included a workshop on efficiency and effectiveness where we gathered data about how software security initiative executives set their practice mix to achieve the greatest success. Sammy and I just wrote up a short article with the data and some cursory analysis:
Software [In]security: Driving Efficiency and Effectiveness in Software Security http://www.informit.com/articles/article.aspx?p=1671924 Our most interesting observation: …effort in Penetration Testing starts out very high in young initiatives just getting started and decreases dramatically as software security initiatives get older. …there's also an interesting bulge in Architecture Analysis and Code Review in the middle "adolescent" bucket. …Practices in older organizations are more evenly balanced than young initiatives or adolescent initiatives. We've really only scratched the surface of the practice-mix question with this data set. Plenty of work remains. (I think Jeremiah will like the spend data though.) Your comments, feedback, and use of the data are welcome. Merry new year everybody. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
