> To clarify further, this is not meant to be prescriptive or even a set >of best > practices. It's simple observation on how many organizations tend to >evolve if > secure SDLC is not a major priority. I can't say it's based on hard data >but we > have compiled the steps from experiences at several clients and >validated it with > several others.
That is exactly the process we followed with the BSIMM. Some of the BSIMM participants were well-established, highly capable, and mature. Others, however, were just getting their security initiatives off the ground. We didn't cherry-pick the best of the world. We went to firms that were significant and found out what they were doing. > If you were seeking advice on how to build security into the SDLC from >the ground > up or looking for a set of activities to perform, you'd be better served >by looking > at BSIMM. I don't think someone starting from the ground up looks at the BSIMM. If you do, it's a brainstorming exercise to acquaint yourself with terms and activities. If you want something prescriptive, Cigital's touchpoints, or Microsoft's SDL are methodologies that tell you what to do. Think of the BSIMM like a thermometer. It can tell you the temperature of your SDLC. What it can't tell you is whether that's the right temperature or not. If you're making ice cream or if you're making waffles, you have different temperature needs. BSIMM simply tells you how you're doing right now. (And over time if you take repeated measurements). > The organic secure SDLC misses things, like threat modeling, because in >our > observations they don't seem to be done consistently. I think this "organic SDLC" is mis-named. It is not a software development lifecycle. It is, if anything, a description of how security awareness evolves at some organisations. That is, minimally aware people take the first step of pen testing production systems. As they grow additionally more aware, they start looking earlier and earlier in the lifecycle. This thing itself is not a lifecycle. It's an observation about some organisations and how they gradually awaken to the need for security in the SDLC. It is entirely possible that "climbing the wall" might happen as the result of taking a measurement using the BSIMM. Instead of a linear arrow, I wonder if you want to have time on the X axis and level of effort on the Y axis. There's a curve here and "climb the wall" is a point in the curve where the effort is high. Anyways, this is just "the order that some firms seem to adopt activities in their lifecycles." It is not a lifecycle. Paco _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
