Secure Coding mailing list archives
Re: The Organic Secure SDLC
From: Rohit Sethi <rklists () gmail com>
Date: Mon, 18 Jul 2011 21:49:47 -0400
Anurag, this shouldn't be the standard. You shouldn't be prescribing this as a set of activities when you're planning a secure SDLC. BSIMM or vBISMM or SDL or Open SAMM are all better choices. On Mon, Jul 18, 2011 at 8:35 PM, Anurag Agarwal <anurag.agarwal () yahoo com>wrote:
Gary - So my next question is, can we come up with something like BSIMM lite, which small or medium size companies with limited resources can use? Or maybe pluggable modules, which different companies can pick and choose depending on the time and resources they can allocate to it? My thought process is since we have a comprehensive list of activities outlined in BSIMM, we should be able to utilize them unless it is something which won't work across various types of organizations or dev teams with limited resources or other such variables. What Rohit has outlined in his post is a very small subset of activities in a secure SDLC methodology. Agreed, most of the companies are allocating resources in those activities but that should not be the standard. Activities like static code analysis or vulnerability assessment should be used to validate threat mitigation and not a source of identifying them, since it gives them a false sense of security. The other key element I think which is required now is the measurement criteria to generate metrics. (I don't remember exactly what level of metrics criterias are defined in BSIMM) but they are a must for a company to assess if they are maturing in their process or not otherwise most of the time it ends up being an academic exercise and gets bypassed as the deadlines gets near. Thoughts? Thanks, Anurag Agarwal MyAppSecurity Inc Cell - 919-244-0803 Email - anurag () myappsecurity com Website - http://www.myappsecurity.com Blog - http://myappsecurity.blogspot.com LinkedIn - http://www.linkedin.com/in/myappsecurity -----Original Message----- From: Gary McGraw [mailto:gem () cigital com] Sent: Monday, July 18, 2011 6:40 PM To: Anurag Agarwal; 'Rohit Sethi'; Secure Code Mailing List Subject: Re: [SC-L] The Organic Secure SDLC hi anurag, The main difference is it is a prescriptive model based on experience (opinion?). The BSIMM is a descriptive model based on observation of over 40 firms. Stay tuned for BSIMM3 in September-ish. gem p.s. See Cargo Cult Computer Security<http://www.informit.com/articles/article.aspx?p=1562220> (January 28, 2010) for more on prescriptive versus descriptive models. From: Anurag Agarwal <anurag.agarwal () yahoo com<mailto:anurag.agarwal () yahoo com>> Date: Mon, 18 Jul 2011 15:48:50 -0400 To: 'Rohit Sethi' <rklists () gmail com<mailto:rklists () gmail com>>, Secure Code Mailing List <SC-L () securecoding org<mailto:SC-L () securecoding org>> Subject: Re: [SC-L] The Organic Secure SDLC Rohit - How is this different from BSIMM? Thanks, Anurag Agarwal MyAppSecurity Inc Cell - 919-244-0803 Email - anurag () myappsecurity com<mailto:anurag () myappsecurity com> Website - http://www.myappsecurity.com Blog - http://myappsecurity.blogspot.com LinkedIn - http://www.linkedin.com/in/myappsecurity From: sc-l-bounces () securecoding org<mailto:sc-l-bounces () securecoding org> [mailto:sc-l-bounces () securecoding org] On Behalf Of Rohit Sethi Sent: Monday, July 18, 2011 2:45 PM To: Secure Code Mailing List Subject: [SC-L] The Organic Secure SDLC Hi all, Over the years we've had the opportunity to see the evolution of security in software development life cycles (SDLC) at many organizations. We've started to see patterns in how things evolve from a path of least resistance: from the bare minimum of production penetration testing through to security in requirements & QA. In order to help us assess where an organization stands in terms of application security maturity, we developed the Organic Secure SDLC model: http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cycl e-9-steps/ If you're an actual practitioner who has lived through developing a secure SDLC I'd love to hear your thoughts about the model's accuracy / relevancy. If you know of any practical whitepapers / articles that might be of use to somebody responsible for moving to the next in this model then please let me know. Cheers, -- Rohit Sethi SD Elements http://www.sdelements.com twitter: rksethi
-- Rohit Sethi SD Elements http://www.sdelements.com twitter: rksethi
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Re: The Organic Secure SDLC, (continued)
- Re: The Organic Secure SDLC Anurag Agarwal (Jul 19)
- Re: The Organic Secure SDLC Gary McGraw (Jul 19)
- Re: The Organic Secure SDLC Rohit Sethi (Jul 19)
- Re: The Organic Secure SDLC Paco Hope (Jul 19)
- Re: The Organic Secure SDLC James Manico (Jul 19)
- Re: The Organic Secure SDLC Paco Hope (Jul 19)
- The Organic Secure SDLC John Steven (Jul 20)
- Re: The Organic Secure SDLC Rohit Sethi (Jul 20)
- Message not available
- Re: The Organic Secure SDLC Rohit Sethi (Aug 11)
- Re: The Organic Secure SDLC Rohit Sethi (Jul 19)
- Message not available
- Re: The Organic Secure SDLC Rohit Sethi (Jul 19)
- Re: The Organic Secure SDLC Rohit Sethi (Jul 19)