Secure Coding mailing list archives

BSIMM update (informIT)

From: ken at krvw.com (Kenneth Van Wyk)
Date: Wed, 3 Feb 2010 16:07:53 -0500

On Jan 28, 2010, at 10:34 AM, Gary McGraw wrote:

Among other things, David and I discussed the difference between descriptive models like BSIMM and prescriptive 
models which purport to tell you what you should do.

Thought I'd chime in on this a bit, FWIW... From my perspective, I welcome BSIMM and I welcome SAMM. I don't see it
in the least as a "one or the other" debate.

A decade(ish) since the first texts on various aspects of software security started appearing, it's great to have a
BSIMM that surveys some of the largest software groups on the planet to see what they're doing. What actually works.
That's fabulously useful. On the other hand, it is possible that ten thousand lemmings can be wrong. Following the
herd isn't always what's best.

SAMM, by contrast, was written by some bright, motivated folks, and provides us all with a set of targets to aspire to.
Some will work, and some won't, without a doubt.

To me, both models are useful as guide posts to help a software group--an SSG if you will--decide what practices will
work best in their enterprise.

But as useful as both SAMM and BSIMM are, I think we're all fooling ourselves if we consider these to be standards or
even maturity models. Any other engineering discipline on the planet would laugh us all out of the room by the mere
suggestion. There's value to them, don't get me wrong. But we're still in the larval mode of building an engineering
discipline here folks. After all, as a species, we didn't start (successfully) building bridges in a decade.

For now, my suggestion is to read up, try things that seem reasonable, and build a set of practices that work for
_you_.

Cheers,

Ken

-----
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3337 bytes
Desc: not available
URL: <http://krvw.com/pipermail/sc-l/attachments/20100203/bd77d7e6/attachment.bin>

Current thread:

BSIMM update (informIT) Gary McGraw (Jan 28)
- BSIMM update (informIT) Steven M. Christey (Jan 28)
- BSIMM update (informIT) Kenneth Van Wyk (Feb 03)
  - BSIMM update (informIT) McGovern, James F. (eBusiness) (Feb 04)
    - BSIMM update (informIT) Brian Chess (Feb 04)
    - BSIMM update (informIT) Gary McGraw (Feb 04)
    - BSIMM update (informIT) McGovern, James F. (eBusiness) (Feb 04)
- <Possible follow-ups>
- BSIMM update (informIT) Wall, Kevin (Feb 02)
  - BSIMM update (informIT) Steven M. Christey (Feb 02)
    - BSIMM update (informIT) Gary McGraw (Feb 03)
    - BSIMM update (informIT) Mike Boberski (Feb 03)
    - BSIMM update (informIT) Steven M. Christey (Feb 03)
    - BSIMM update (informIT) Jim Manico (Feb 04)

(Thread continues...)