Secure Coding mailing list archives
Justice League » Blog Archive » Cigital’s Touchpoints versus Microsoft’s SDL [Cigital]
From: ken at krvw.com (Kenneth Van Wyk)
Date: Thu, 8 Mar 2007 16:17:27 -0500
SC-L, I'm often asked by folks to compare and contrast some of the various published software security practices, from Microsoft's SDL and OWASP's CLASP through Cigital's "Touchpoint" processes. My own view is that they all offer value and are all worthy of consideration. In his most recent "Justice League" blog entry, Gary McGraw offers his own (obviously biased, as Cigital's CTO) comparison between their own approaches and Microsoft's SDL. You can read what he has to say at: http://www.cigital.com/justiceleague/2007/03/08/cigitals-touchpoints- versus-microsofts-sdl/ After recently reading Michael Howard and Steve Lipner's SDL book, I found a lot that I liked -- notably their discussions about testing. I admit that it largely changed my opinion about the value of (smart) fuzzing, for example. But how about others' experiences? I've found a lot of people feel comfortable with Microsoft's STRIDE / DREAD approaches because they're relatively light weight and an easy first step to take. Anyone here care to offer their own opinions and experiences? Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20070308/0ec475f8/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2454 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20070308/0ec475f8/attachment.bin
Current thread:
- Justice League » Blog Archive » Cigital’s Touchpoints versus Microsoft’s SDL [Cigital] Kenneth Van Wyk (Mar 08)