Secure Coding mailing list archives
Functional Correctness
From: colin.cassidy at ge.com (Cassidy, Colin (GE Infra, Energy))
Date: Sat, 22 Aug 2009 16:52:54 +0200
Brad Andrews Writes:
After all, we can just "implement this maturity model and eliminate all our security problems, at least in the application, right?" That is likely to end up resulting in even more resistance in the future when management questions why they need to keep spending more for software security, a secure architecture, etc. Don't people learn what they need to know at some point?
I don't thinks that's ever been the case that you can just apply your model and all will be well Microsoft didn`t release their SDL and said "there all our software will now be secure", they're constantly evolving their processes. Also some of the activities within the BSIMM are about constant improvement and keeping up with the latest trends, so even just following the BSIMM your processes are never static.
I don't think we will ever be static. As soon as we remove the low hanging fruit, the fruit higher up the tree will be the problem.
Or, the fruit on another tree :) who's attacking the OS now when the apps are so easy to attack
This isn't to say a maturity model is useless, but I remain skeptical that it will live up to the "hype" (low key now, but there) it is being presented with.
I think that the models (both BSIMM and OSAMM) help to provide a framework and a direction to those that have no real security practices at all. Or allow a measurement of existing process and see where their weaknesses are. That and the senior management like the pretty graphs even if they don't know what it means :D CJC -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4427 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20090822/f16d7438/attachment.bin
Current thread:
- Where Does Secure Coding Belong In the Curriculum?, (continued)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 20)
- Where Does Secure Coding Belong In the Curriculum? McGovern, James F (HTSC, IT) (Aug 20)
- Where Does Secure Coding Belong In the Curriculum? SC-L Reader Dave Aronson (Aug 20)
- Where Does Secure Coding Belong In the Curriculum? Wall, Kevin (Aug 20)
- Security as a part of code quality (Was: Re: Where Does Secure Coding Belong In the Curriculum?) Martin Gilje Jaatun (Aug 20)
- Security as a part of code quality (Was: Re: Where Does Secure Coding Belong In the Curriculum?) Cassidy, Colin (GE Infra, Energy) (Aug 21)
- Security as a part of code quality (Was: Re: Where Does Secure Coding Belong In the Curriculum?) Gary McGraw (Aug 21)
- Functional Correctness Brad Andrews (Aug 21)
- Functional Correctness Gary McGraw (Aug 21)
- Functional Correctness Brad Andrews (Aug 21)
- Functional Correctness Cassidy, Colin (GE Infra, Energy) (Aug 22)
- Functional Correctness Pravir Chandra (Aug 24)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 20)
- Where Does Secure Coding Belong In the Curriculum? McGovern, James F (HTSC, IT) (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 25)
- Where Does Secure Coding Belong In the Curriculum? Wall, Kevin (Aug 25)
- Functional Correctness Jim Manico (Aug 21)
- Customer Demand Brad Andrews (Aug 21)
- Customer Demand Goertzel, Karen [USA] (Aug 21)
- Customer Demand Brad Andrews (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 20)