To clarify further, this is not meant to be prescriptive or even a set of
best practices. It's simple observation on how many organizations tend to
evolve if secure SDLC is not a major priority. I can't say it's based on
hard data but we have compiled the steps from experiences at several clients
and validated it with several others.

If you were seeking advice on how to build security into the SDLC from the
ground up or looking for a set of activities to perform, you'd be better
served by looking at BSIMM. The organic secure SDLC misses things, like
threat modeling, because in our observations they don't seem to be done
consistently.

On Mon, Jul 18, 2011 at 6:40 PM, Gary McGraw <g...@cigital.com> wrote:

> hi anurag,
>
> The main difference is it is a prescriptive model based on experience
> (opinion?).  The BSIMM is a descriptive model based on observation of over
> 40 firms.  Stay tuned for BSIMM3 in September-ish.
>
> gem
>
> p.s. See Cargo Cult Computer Security<
> http://www.informit.com/articles/article.aspx?p=1562220> (January 28,
> 2010) for more on prescriptive versus descriptive models.
>
> From: Anurag Agarwal <anurag.agar...@yahoo.com<mailto:
> anurag.agar...@yahoo.com>>
> Date: Mon, 18 Jul 2011 15:48:50 -0400
> To: 'Rohit Sethi' <rkli...@gmail.com<mailto:rkli...@gmail.com>>, Secure
> Code Mailing List <SC-L@securecoding.org<mailto:SC-L@securecoding.org>>
> Subject: Re: [SC-L] The Organic Secure SDLC
>
> Rohit – How is this different from BSIMM?
>
> Thanks,
>
> Anurag Agarwal
> MyAppSecurity Inc
> Cell - 919-244-0803
> Email - anu...@myappsecurity.com<mailto:anu...@myappsecurity.com>
> Website - http://www.myappsecurity.com
> Blog - http://myappsecurity.blogspot.com
> LinkedIn - http://www.linkedin.com/in/myappsecurity
>
> From: sc-l-boun...@securecoding.org<mailto:sc-l-boun...@securecoding.org>
> [mailto:sc-l-boun...@securecoding.org] On Behalf Of Rohit Sethi
> Sent: Monday, July 18, 2011 2:45 PM
> To: Secure Code Mailing List
> Subject: [SC-L] The Organic Secure SDLC
>
> Hi all,
>
> Over the years we've had the opportunity to see the evolution of security
> in software development life cycles (SDLC) at many organizations. We've
> started to see patterns in how things evolve from a path of least
> resistance: from the bare minimum of production penetration testing through
> to security in requirements & QA.
>
> In order to help us assess where an organization stands in terms of
> application security maturity, we developed the Organic Secure SDLC model:
> http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cycle-9-steps/
>
> If you're an actual practitioner who has lived through developing a secure
> SDLC I'd love to hear your thoughts about the model's accuracy / relevancy.
>
> If you know of any practical whitepapers / articles that might be of use to
> somebody responsible for moving to the next in this model then please let me
> know.
>
> Cheers,
>
> --
> Rohit Sethi
> SD Elements
> http://www.sdelements.com
> twitter: rksethi
>
>


-- 
Rohit Sethi
SD Elements
http://www.sdelements.com
twitter: rksethi
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Reply via email to