Justice League » Blog Archive » Cigital’s Touchpoints versus Microsoft’s SDL [Cigital]

[ken at krvw.com (Kenneth Van Wyk)]

SC-L,

I'm often asked by folks to compare and contrast some of the various  
published software security practices, from Microsoft's SDL and  
OWASP's CLASP through Cigital's "Touchpoint" processes.  My own view  
is that they all offer value and are all worthy of consideration.  In  
his most recent "Justice League" blog entry, Gary McGraw offers his  
own (obviously biased, as Cigital's CTO) comparison between their own  
approaches and Microsoft's SDL.  You can read what he has to say at:

http://www.cigital.com/justiceleague/2007/03/08/cigitals-touchpoints- 
versus-microsofts-sdl/

After recently reading Michael Howard and Steve Lipner's SDL book, I  
found a lot that I liked -- notably their discussions about testing.   
I admit that it largely changed my opinion about the value of (smart)  
fuzzing, for example.

But how about others' experiences?  I've found a lot of people feel  
comfortable with Microsoft's STRIDE / DREAD approaches because  
they're relatively light weight and an easy first step to take.   
Anyone here care to offer their own opinions and experiences?

Cheers,

Ken
-----
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070308/0ec475f8/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2454 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20070308/0ec475f8/attachment.bin