Functional Correctness

[andrews at rbacomm.com (Brad Andrews)]

Now that you mention it....

I was listening to the CERT podcast where you and a couple of others  
discussed the BSIMM (probably a while back since I am well behind on  
those).  You made a statement along these lines and I immediately  
thought that I disagreed!  :)

I don't think software security is as simple as that.  I do agree that  
companies can (and should) do far more than they do and that many  
things could be eliminated with very mechanical fixes, but I don't  
think that gives a good long-term perspective.  I also think that it  
will set management's expectation at a level that will ultimately be  
harmful.

After all, we can just "implement this maturity model and eliminate  
all our security problems, at least in the application, right?"  That  
is likely to end up resulting in even more resistance in the future  
when management questions why they need to keep spending more for  
software security, a secure architecture, etc.  Don't people learn  
what they need to know at some point?

I don't think we will ever be static.  As soon as we remove the low  
hanging fruit, the fruit higher up the tree will be the problem.

This isn't to say a maturity model is useless, but I remain skeptical  
that it will live up to the "hype" (low key now, but there) it is  
being presented with.

I am sure this is not as smoothly presented as it needs to be, but I  
am fairly certain of the general thrust of my conviction.  I suppose  
20+ in software development helps.

-- 

Brad Andrews
RBA Communications
CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI


Quoting Gary McGraw <gem at cigital.com>:

> Software security is an intensely practical problem that will   
> require a practical approach.  By studying organizations that are   
> doing a decent job, perhaps we can draw some practical lessons.    
> That's precisely what we're up to with the BSIMM <http://bsi-mm.com>.