Try this on for size. JPMC already uses it in practice. vBSIMM (BSIMM for Vendors) <http://www.informit.com/articles/article.aspx?p=1703668> (April 12, 2011)
gem On 7/18/11 8:35 PM, "Anurag Agarwal" <anurag.agar...@yahoo.com> wrote: >Gary - So my next question is, can we come up with something like BSIMM >lite, which small or medium size companies with limited resources can use? >Or maybe pluggable modules, which different companies can pick and choose >depending on the time and resources they can allocate to it? > >My thought process is since we have a comprehensive list of activities >outlined in BSIMM, we should be able to utilize them unless it is >something >which won't work across various types of organizations or dev teams with >limited resources or other such variables. > >What Rohit has outlined in his post is a very small subset of activities >in >a secure SDLC methodology. Agreed, most of the companies are allocating >resources in those activities but that should not be the standard. >Activities like static code analysis or vulnerability assessment should be >used to validate threat mitigation and not a source of identifying them, >since it gives them a false sense of security. The other key element I >think >which is required now is the measurement criteria to generate metrics. (I >don't remember exactly what level of metrics criterias are defined in >BSIMM) >but they are a must for a company to assess if they are maturing in their >process or not otherwise most of the time it ends up being an academic >exercise and gets bypassed as the deadlines gets near. > >Thoughts? > >Thanks, > >Anurag Agarwal >MyAppSecurity Inc >Cell - 919-244-0803 >Email - anu...@myappsecurity.com >Website - http://www.myappsecurity.com >Blog - http://myappsecurity.blogspot.com >LinkedIn - http://www.linkedin.com/in/myappsecurity > > >-----Original Message----- >From: Gary McGraw [mailto:g...@cigital.com] >Sent: Monday, July 18, 2011 6:40 PM >To: Anurag Agarwal; 'Rohit Sethi'; Secure Code Mailing List >Subject: Re: [SC-L] The Organic Secure SDLC > >hi anurag, > >The main difference is it is a prescriptive model based on experience >(opinion?). The BSIMM is a descriptive model based on observation of over >40 firms. Stay tuned for BSIMM3 in September-ish. > >gem > >p.s. See Cargo Cult Computer >Security<http://www.informit.com/articles/article.aspx?p=1562220> (January >28, 2010) for more on prescriptive versus descriptive models. > >From: Anurag Agarwal ><anurag.agar...@yahoo.com<mailto:anurag.agar...@yahoo.com>> >Date: Mon, 18 Jul 2011 15:48:50 -0400 >To: 'Rohit Sethi' <rkli...@gmail.com<mailto:rkli...@gmail.com>>, Secure >Code >Mailing List <SC-L@securecoding.org<mailto:SC-L@securecoding.org>> >Subject: Re: [SC-L] The Organic Secure SDLC > >Rohit - How is this different from BSIMM? > >Thanks, > >Anurag Agarwal >MyAppSecurity Inc >Cell - 919-244-0803 >Email - anu...@myappsecurity.com<mailto:anu...@myappsecurity.com> >Website - http://www.myappsecurity.com >Blog - http://myappsecurity.blogspot.com >LinkedIn - http://www.linkedin.com/in/myappsecurity > >From: sc-l-boun...@securecoding.org<mailto:sc-l-boun...@securecoding.org> >[mailto:sc-l-boun...@securecoding.org] On Behalf Of Rohit Sethi >Sent: Monday, July 18, 2011 2:45 PM >To: Secure Code Mailing List >Subject: [SC-L] The Organic Secure SDLC > >Hi all, > >Over the years we've had the opportunity to see the evolution of security >in >software development life cycles (SDLC) at many organizations. We've >started >to see patterns in how things evolve from a path of least resistance: from >the bare minimum of production penetration testing through to security in >requirements & QA. > >In order to help us assess where an organization stands in terms of >application security maturity, we developed the Organic Secure SDLC model: >http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cy >cl >e-9-steps/ > >If you're an actual practitioner who has lived through developing a secure >SDLC I'd love to hear your thoughts about the model's accuracy / >relevancy. > >If you know of any practical whitepapers / articles that might be of use >to >somebody responsible for moving to the next in this model then please let >me >know. > >Cheers, > >-- >Rohit Sethi >SD Elements >http://www.sdelements.com >twitter: rksethi > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
