Secure Coding mailing list archives
InformIT: You need an SSG
From: mike.boberski at gmail.com (Mike Boberski)
Date: Mon, 21 Dec 2009 19:01:37 -0500
Hi Gary. To play devil's advocate: Current organizational practices aside, I would say that organizations really need more and better toolkits and standards for developers to use, than they need more and better committees. A toolkit example that comes to mind, to keep this email short: the highly-matrixed environment (and actually also the smaller environment, now that I think about it) where developers fly on and off projects. Toolkits that enforce coding standards, and that are treated like any other module of the application in terms of care and feeding, are the only things that give security a fighting chance in environments like those. Best, Mike B. On Mon, Dec 21, 2009 at 8:24 AM, Gary McGraw <gem at cigital.com> wrote:
hi sc-l, This list is made up of a bunch of practitioners (more than a thousand from what Ken tells me), and we collectively have many different ways of promoting software security in our companies and our clients. The BSIMM study <http://bsi-mm.com> focuses attention on software security in large organizations and just at the moment covers the work of 1554 full time employees working every day in 26 software security initiatives. One phenomenon we observed in the BSIMM was that every large initiative has a Software Security Group (SSG) to carry out and lead software security activities. I wrote about our observations around SSGs in this month's informIT article: http://www.informit.com/articles/article.aspx?p=1434903 Simply put, an SSG is a critical part of a software security initiative in all companies with more than 100 developers. (We're still not sure about SSGs in smaller organizations, but the BSIMM Begin data (now hovering at 75 firms) may be revealing.) Cigital's SSG was formed in 1997 (with John Viega, Brad Arkin, and me as founding members). Since its inception, we've helped plan, staff, and carry out ten large software security initiatives in customer firms. One of the most important first tasks is establishing an SSG. Merry New Year everybody. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://krvw.com/pipermail/sc-l/attachments/20091221/243d91f1/attachment.htm>
Current thread:
- InformIT: You need an SSG Gary McGraw (Dec 21)
- InformIT: You need an SSG Mike Boberski (Dec 21)
- Message not available
- InformIT: You need an SSG Bret Watson (Dec 21)
- InformIT: You need an SSG Gary McGraw (Dec 22)
- Message not available
- InformIT: You need an SSG Dave Aronson (Dec 22)
- InformIT: You need an SSG Mike Boberski (Dec 21)
- InformIT: You need an SSG Benjamin Tomhave (Dec 22)
- InformIT: You need an SSG Gary McGraw (Dec 22)
- InformIT: You need an SSG Boberski, Michael [USA] (Dec 22)
- InformIT: You need an SSG Benjamin Tomhave (Dec 22)
- InformIT: You need an SSG Gary McGraw (Dec 23)
- InformIT: You need an SSG Gary McGraw (Dec 22)
- <Possible follow-ups>
- InformIT: You need an SSG Mike Boberski (Dec 21)
- Message not available
- InformIT: You need an SSG Mike Boberski (Dec 21)
- Message not available