InformIT: You need an SSG

[gem at cigital.com (Gary McGraw)]

hi sc-l,

This list is made up of a bunch of practitioners (more than a thousand from what Ken tells me), and we collectively 
have many different ways of promoting software security in our companies and our clients.  The BSIMM study 
<http://bsi-mm.com> focuses attention on software security in large organizations and just at the moment covers the 
work of 1554 full time employees working every day in 26 software security initiatives.  One phenomenon we observed in 
the BSIMM was that every large initiative has a Software Security Group (SSG) to carry out and lead software security 
activities.

I wrote about our observations around SSGs in this month's informIT article:

http://www.informit.com/articles/article.aspx?p=1434903

Simply put, an SSG is a critical part of a software security initiative in all companies with more than 100 developers. 
 (We're still not sure about SSGs in smaller organizations, but the BSIMM Begin data (now hovering at 75 firms) may be 
revealing.)

Cigital's SSG was formed in 1997 (with John Viega, Brad Arkin, and me as founding members).  Since its inception, we've 
helped plan, staff, and carry out ten large software security initiatives in customer firms.  One of the most important 
first tasks is establishing an SSG.

Merry New Year everybody.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com