Secure Coding mailing list archives
Re: informIT: vBSIMM (BSIMM for Vendors)
From: James Manico <jim () manico net>
Date: Tue, 12 Apr 2011 22:32:06 +0200
Hi Gary, You may wish to consider the OWASP Legal Project at https://www.owasp.org/index.php/Category:OWASP_Legal_Project which is a positive, free, and open resource to assist in building legal contractal agreements around software security with your vendors. The state of NY procurement and others have been using this material as a basis for vendor contract language for years. Regards, Jim Manico On Apr 12, 2011, at 10:18 PM, Gary McGraw <gem () cigital com> wrote:
hi sc-l, During RSA this year Jim Routh (JPMC), Doug Cavit (Microsoft) and I ended up having a productive "hall meeting" about vendor control, the Microsoft SDL, the BSIMM, and software security. Jim is in search of a way to place some kind of security control over his software vendors (they are ramping up their software security initiative at JPMC this year but also use plenty of COTS and third-party software). The issue is how to get to an SDL-level discussion with vendors instead of languishing in the "OWASP-top-ten for one particular app" space. Here is an article about Vendor Control and the BSIMM that introduces a very simple attestation-based scheme Sammy and I have developed called vBSIMM. Jim has been in the loop throughout ideation and writing and endorses the approach: http://www.informit.com/articles/article.aspx?p=1703668 Two things to note: 1) the vBSIMM bar is very low, but the working theory is that three sets of vendors will emerge once we try this out: some vendors (including those who participate in the BSIMM Community) will be well past these simple activities, some will be mealy-mouthed about exactly what they are doing, and some will be clueless. We believe that the vBSIMM will be able to distinguish between those three sets rather easily. 2) beginning with the vBSIMM may encourage smaller vendors to develop more mature software security initiatives. The notion of self-scoring and attestation works for very easy activities such as those included in the vBSIMM. A complete BSIMM score makes much better sense for vendors who are well ahead of the curve (e.g., BSIMM participants). Don't forget to compare this in your mind to the alternative which seems to be looking for certain bugs in a particular app, one app at a time. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- informIT: vBSIMM (BSIMM for Vendors) Gary McGraw (Apr 12)
- Re: informIT: vBSIMM (BSIMM for Vendors) James Manico (Apr 12)
- Re: informIT: vBSIMM (BSIMM for Vendors) Kevin W. Wall (Apr 12)
- Re: informIT: vBSIMM (BSIMM for Vendors) Tom Brennan (Apr 13)
- Re: informIT: vBSIMM (BSIMM for Vendors) Kevin W. Wall (Apr 12)
- Re: informIT: vBSIMM (BSIMM for Vendors) Steven M. Christey (Apr 12)
- Re: informIT: vBSIMM (BSIMM for Vendors) James Manico (Apr 12)