Re: informIT: vBSIMM (BSIMM for Vendors)

[James Manico <jim () manico net>]

Hi Gary,

You may wish to consider the OWASP Legal Project at
https://www.owasp.org/index.php/Category:OWASP_Legal_Project which is
a positive, free, and open resource to assist in building legal
contractal agreements around software security with your vendors.

The state of NY procurement and others have been using this material
as a basis for vendor contract language for years.

Regards,
Jim Manico

On Apr 12, 2011, at 10:18 PM, Gary McGraw <gem () cigital com> wrote:

> hi sc-l,
>
> During RSA this year Jim Routh (JPMC), Doug Cavit (Microsoft) and I ended up having a productive "hall meeting" about 
> vendor control, the Microsoft SDL, the BSIMM, and software security.  Jim is in search of a way to place some kind of 
> security control over his software vendors (they are ramping up their software security initiative at JPMC this year 
> but also use plenty of COTS and third-party software).  The issue is how to get to an SDL-level discussion with 
> vendors instead of languishing in the "OWASP-top-ten for one particular app" space.
>
> Here is an article about Vendor Control and the BSIMM that introduces a very simple attestation-based scheme Sammy 
> and I have developed called vBSIMM.  Jim has been in the loop throughout ideation and writing and endorses the 
> approach:
> http://www.informit.com/articles/article.aspx?p=1703668
>
> Two things to note: 1) the vBSIMM bar is very low, but the working theory is that three sets of vendors will emerge 
> once we try this out: some vendors (including those who participate in the BSIMM Community) will be well past these 
> simple activities, some will be mealy-mouthed about exactly what they are doing, and some will be clueless.  We 
> believe that the vBSIMM will be able to distinguish between those three sets rather easily. 2) beginning with the 
> vBSIMM may encourage smaller vendors to develop more mature software security initiatives.
>
> The notion of self-scoring and attestation works for very easy activities such as those included in the vBSIMM.  A 
> complete BSIMM score makes much better sense for vendors who are well ahead of the curve (e.g., BSIMM participants).
>
> Don't forget to compare this in your mind to the alternative which seems to be looking for certain bugs in a 
> particular app, one app at a time.
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L () securecoding org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> _______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________