Secure Coding mailing list archives
Re: BSIMM-V Article in Application Development Times
From: Stephen de Vries <stephen () continuumsecurity net>
Date: Wed, 22 Jan 2014 08:50:05 +0100
For anyone interested in this topic and working in appsec and/or dev, there’s a survey by the trusted software alliance which touches on some of these questions here: https://www.surveymonkey.com/s/Developers_and_AppSec
On Jan 7, 2014, at 8:07 PM, Christian Heinrich <christian.heinrich () cmlh id au> wrote:Stephen, On Sat, Jan 4, 2014 at 8:12 PM, Stephen de Vries <stephen () continuumsecurity net> wrote:Leaving the definition of agile aside for the moment, doesn’t the fact that the BSIMM measures organisation wide activities but not individual dev teams mean that we could be drawing inaccurate conclusions from the data? E.g. if an organisation says it is doing Arch reviews, code reviews and sec testing, it doesn’t necessarily mean that every team is doing all of those activities, so it may give the BSIMM reader a false impression of the use of those activities in the real world. In addition to knowing which activities are practiced organisation wide, it would also be valuable to know which activities work well on a per-team or per-project basis.My reading of the "Roles" section of BSIMM-V.pdf is that the people interviewed for the BSIMM sample are: 1. Executive Leadership (or CISO, VP of Risk, CSO, etc) 2. Everyone else within the Software Security Group (SSG) What you are asking to be included is what is referred to as the "Satellite" within BSIMM-V.pdf and I believe this may also require the inclusion of http://cmmiinstitute.com/cmmi-solutions/cmmi-for-development/ too (why not :) ). The issue with this is that it would invalidate the statistics from the prior five BSIMM releases due to the inclusion of new questions and in additional these new statistics were not gathered over time either hence the improvements measured over time within BSIMM would be invalid too due tot he new dataset. Furthermore, Gary, Sammy and Brian have limited time to interview all 67 BSIMM participating firms. However, I would be interested to know the "BSIMM Advisory Board" i.e. http://bsimm.com/community/ view on this is and if it would be possible to undertake this additional sampling within their own BSIMM participating firm to determine if there is additional value would be gained for BSIMM? However, I suspect that an objective measurement would be too hard to quantify due to internal politics of each BSIMM participating firm but I could be wrong.
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Re: BSIMM-V Article in Application Development Times Stephen de Vries (Jan 07)
- Re: BSIMM-V Article in Application Development Times Christian Heinrich (Jan 08)
- Re: BSIMM-V Article in Application Development Times John Steven (Jan 08)
- Re: BSIMM-V Article in Application Development Times Stephen de Vries (Jan 22)
- Re: BSIMM-V Article in Application Development Times John Steven (Jan 08)
- Re: BSIMM-V Article in Application Development Times Christian Heinrich (Jan 08)