Re: BSIMM-V Article in Application Development Times

[Sammy Migues <SMigues () cigital com>]

Hi Stephen,

I agree that would be interesting. While we have data at the firm level for all BSIMM participants, and at the BU level 
for many BSIMM participants, we don't formally capture data on development methodology (as opposed to software security 
activities) for each development team (which may number well into the double digits for many BSIMM participants).

Also, in nearly all cases, it would be very hard to characterize an entire firm or even an entire business unit in 
larger firms as "Agile" or not. Many larger firms use "Agile" for only a small percentage of projects (e.g., for mobile 
or cloud things, if they're a traditional waterfall shop and are just evolving into new technology stacks). Even those 
firms who "do Agile" often do it in different ways across different development teams, even in the same business unit. 
The teams with very large applications or critical applications that go through more testing might do 3-4 week sprints 
while others do 2-week sprints. However, they might be using exactly the same process, so I'm not sure the frequency of 
deployment would work as the measure of "agility."

As for writing "Agile" rather than Agile above, firms and teams who call themselves "Agile" mean many different things 
with that word. I've run into some teams who feel very agile in their quarterly development cycles and at least one 
that "scrums" its way through various parts of their waterfall process.

Cheers,

--Sammy.

-----Original Message-----
From: SC-L [mailto:sc-l-bounces () securecoding org] On Behalf Of Stephen de Vries
Sent: Tuesday, December 17, 2013 5:21 AM
To: Gary McGraw
Cc: Secure Code Mailing List
Subject: Re: [SC-L] BSIMM-V Article in Application Development Times


On 13 Dec 2013, at 22:51, Gary McGraw <gem () cigital com> wrote:
> From time to time we talk about getting to the dev community here.  This article is at least in the right publication!
>
> Read it and pass it on: http://adtmag.com/blogs/watersworks/2013/12/bsimm-v-released.aspx

Hi Gary,

In the current BSIMM-V dataset is it possible to narrow the data down to only organisations practising Agile dev?  I 
think it would be interesting to see which BSIMM activities are popular with agile houses, and which not.

Ideally, it would be nice to not only differentiate between Agile and non-agile, but different degrees of agile based 
on the length of iterations and/or the frequency of deployments.  E.g. less-agile = 3 month iterations and multi-month 
deploys, more-agile = continuous delivery with multiple deploys per day.


regards,


Stephen de Vries

http://www.continuumsecurity.net
Twitter: @stephendv



_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________