Gary,
Congratulations to you, Brian, Sammy, and the rest of the BSIMM3 community!
I have a few questions: 1) Was any analysis done to ensure that the 3 levels are consistent from a maturity perspective - for example, if an organization performed an activity at level 2, that there was a high chance that it also performed many of the level-1 activities? For example, many T2.x activities were done by more organizations than their counterpart T1.x activities, and there's a similar pattern with some SR2.x versus SR1.x. 2) Any thoughts on why the financial services vertical scored noticeably lower than ISVs on Code Review, Architectural Analysis, etc.? Maybe ISVs have a better "infrastructure" for launching these activities because code development is a core aspect of their business? 3) The wording about OWASP ESAPI in SFD2.1 is unclear: "Generic open source software security architectures including OWASP ESAPI should not be considered secure out of the box." Does Struts, mentioned earlier in the paragraph, also fall under the category of "not secure out of the box?" Are you saying that developers must be careful in adopting security middleware? - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
