Reality Check: EMC Eric Baize

[gem at cigital.com (Gary McGraw)]

The BSIMM data are coming soon to a website near you.   Stay tuned to sc-l for an early look.

In the meantime here are the three articles that set the stage, with another under way as you read this email:

A Software Security Framework: Working Towards a Realistic Maturity Model (October 15, 2008)
http://www.informit.com/articles/article.aspx?p=1271382

Software Security Top 10 Surprises (December 15, 2008)
http://www.informit.com/articles/article.aspx?p=1315431

Nine Things Everybody Does: Software Security Activities from the BSIMM (February 9, 2009)
http://www.informit.com/articles/article.aspx?p=1326511

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
podcast www.cigital.com/realitycheck
blog www.cigital.com/justiceleague
book www.swsec.com


On 3/3/09 10:25 AM, "Kenneth van Wyk" <Ken at KRvW.com> wrote:



On Mar 3, 2009, at 10:11 AM, Gary McGraw wrote:
> Our fearless leader Ken gave a nice presentation on software
> security methodologies yesterday at secappdev.  I wonder what he
> says about the Touchpoints when I'm not in the room?!


Thanks for the kind words.  What I say about the Touchpoints,
Microsoft's SDL, or OWASP's CLASP remains the same whether you're in
the room or not.  They all offer good points and bad points.  I tend
to favor a hybrid approach that works well for me, which is what I
always recommend to my customers.

More importantly, though, I am eager to update the message with what
the companies who participated in the BSIMM are actually doing in
practice.

Cheers,

Ken

-----
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com