hi sc-l, During RSA this year Jim Routh (JPMC), Doug Cavit (Microsoft) and I ended up having a productive "hall meeting" about vendor control, the Microsoft SDL, the BSIMM, and software security. Jim is in search of a way to place some kind of security control over his software vendors (they are ramping up their software security initiative at JPMC this year but also use plenty of COTS and third-party software). The issue is how to get to an SDL-level discussion with vendors instead of languishing in the "OWASP-top-ten for one particular app" space.
Here is an article about Vendor Control and the BSIMM that introduces a very simple attestation-based scheme Sammy and I have developed called vBSIMM. Jim has been in the loop throughout ideation and writing and endorses the approach: http://www.informit.com/articles/article.aspx?p=1703668 Two things to note: 1) the vBSIMM bar is very low, but the working theory is that three sets of vendors will emerge once we try this out: some vendors (including those who participate in the BSIMM Community) will be well past these simple activities, some will be mealy-mouthed about exactly what they are doing, and some will be clueless. We believe that the vBSIMM will be able to distinguish between those three sets rather easily. 2) beginning with the vBSIMM may encourage smaller vendors to develop more mature software security initiatives. The notion of self-scoring and attestation works for very easy activities such as those included in the vBSIMM. A complete BSIMM score makes much better sense for vendors who are well ahead of the curve (e.g., BSIMM participants). Don't forget to compare this in your mind to the alternative which seems to be looking for certain bugs in a particular app, one app at a time. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
