Anurag, this shouldn't be the standard. You shouldn't be prescribing this as a set of activities when you're planning a secure SDLC. BSIMM or vBISMM or SDL or Open SAMM are all better choices.
On Mon, Jul 18, 2011 at 8:35 PM, Anurag Agarwal <anurag.agar...@yahoo.com>wrote: > Gary - So my next question is, can we come up with something like BSIMM > lite, which small or medium size companies with limited resources can use? > Or maybe pluggable modules, which different companies can pick and choose > depending on the time and resources they can allocate to it? > > My thought process is since we have a comprehensive list of activities > outlined in BSIMM, we should be able to utilize them unless it is something > which won't work across various types of organizations or dev teams with > limited resources or other such variables. > > What Rohit has outlined in his post is a very small subset of activities in > a secure SDLC methodology. Agreed, most of the companies are allocating > resources in those activities but that should not be the standard. > Activities like static code analysis or vulnerability assessment should be > used to validate threat mitigation and not a source of identifying them, > since it gives them a false sense of security. The other key element I > think > which is required now is the measurement criteria to generate metrics. (I > don't remember exactly what level of metrics criterias are defined in > BSIMM) > but they are a must for a company to assess if they are maturing in their > process or not otherwise most of the time it ends up being an academic > exercise and gets bypassed as the deadlines gets near. > > Thoughts? > > Thanks, > > Anurag Agarwal > MyAppSecurity Inc > Cell - 919-244-0803 > Email - anu...@myappsecurity.com > Website - http://www.myappsecurity.com > Blog - http://myappsecurity.blogspot.com > LinkedIn - http://www.linkedin.com/in/myappsecurity > > > -----Original Message----- > From: Gary McGraw [mailto:g...@cigital.com] > Sent: Monday, July 18, 2011 6:40 PM > To: Anurag Agarwal; 'Rohit Sethi'; Secure Code Mailing List > Subject: Re: [SC-L] The Organic Secure SDLC > > hi anurag, > > The main difference is it is a prescriptive model based on experience > (opinion?). The BSIMM is a descriptive model based on observation of over > 40 firms. Stay tuned for BSIMM3 in September-ish. > > gem > > p.s. See Cargo Cult Computer > Security<http://www.informit.com/articles/article.aspx?p=1562220> (January > 28, 2010) for more on prescriptive versus descriptive models. > > From: Anurag Agarwal > <anurag.agar...@yahoo.com<mailto:anurag.agar...@yahoo.com>> > Date: Mon, 18 Jul 2011 15:48:50 -0400 > To: 'Rohit Sethi' <rkli...@gmail.com<mailto:rkli...@gmail.com>>, Secure > Code > Mailing List <SC-L@securecoding.org<mailto:SC-L@securecoding.org>> > Subject: Re: [SC-L] The Organic Secure SDLC > > Rohit - How is this different from BSIMM? > > Thanks, > > Anurag Agarwal > MyAppSecurity Inc > Cell - 919-244-0803 > Email - anu...@myappsecurity.com<mailto:anu...@myappsecurity.com> > Website - http://www.myappsecurity.com > Blog - http://myappsecurity.blogspot.com > LinkedIn - http://www.linkedin.com/in/myappsecurity > > From: sc-l-boun...@securecoding.org<mailto:sc-l-boun...@securecoding.org> > [mailto:sc-l-boun...@securecoding.org] On Behalf Of Rohit Sethi > Sent: Monday, July 18, 2011 2:45 PM > To: Secure Code Mailing List > Subject: [SC-L] The Organic Secure SDLC > > Hi all, > > Over the years we've had the opportunity to see the evolution of security > in > software development life cycles (SDLC) at many organizations. We've > started > to see patterns in how things evolve from a path of least resistance: from > the bare minimum of production penetration testing through to security in > requirements & QA. > > In order to help us assess where an organization stands in terms of > application security maturity, we developed the Organic Secure SDLC model: > > http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cycl > e-9-steps/ > > If you're an actual practitioner who has lived through developing a secure > SDLC I'd love to hear your thoughts about the model's accuracy / relevancy. > > If you know of any practical whitepapers / articles that might be of use to > somebody responsible for moving to the next in this model then please let > me > know. > > Cheers, > > -- > Rohit Sethi > SD Elements > http://www.sdelements.com > twitter: rksethi > > -- Rohit Sethi SD Elements http://www.sdelements.com twitter: rksethi
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
