InformIT: You need an SSG

[gem at cigital.com (Gary McGraw)]

hi bret and mike,

While you guys are certainly entitled to your opinion, I think it is important to acknowledge facts when you state an 
argument.  Please take a few minutes to read the article I posted on SSG's (this "committee" language you're both using 
is very humorous BTW...thanks for the laugh).   After you've read the article, lets have an informed debate. Here's the 
URL again:

http://www.informit.com/articles/article.aspx?p=1434903

The article draws conclusions based on observations from 26 companies (Microsoft is only 1 of the 26).   The data I 
based my SSG claims on are provided in analyzed form.  Just for the record, the article also states that we're not sure 
whether the data described in the BSIMM are relevant for SMB (small and medium sized businesses), something I repeated 
in my sc-l post yesterday.   We have plans to find out using real data (again).  We will not draw any conclusions 
without gathering data and publishing it.

Your opinion that an SSG "rarely delivers anything useful" certainly does not apply to the 26 companies we studied (so 
far) in the BSIMM, nor does it cohere with my fifteen years of experience in the field.  What observations are you 
basing your argument on?  Can you show us some data?

I'm afraid your toolset argument teeters precariously on opinion and falls into a familiar pattern that goes something 
like this in BNF:

<FlavOfDay> = {<owasp top 10>, <code review tools>,<pen testing>,<firewalls>,<APIs>,<rampant finger crossing>}
     Software security can be solved by <FlavOfDay> because I said so.

While it is true that you said so, I'm pretty sure you're going to need a more convincing argument.  Unless we rely on 
data and evidence when we do our work, we'll end up looking just as silly as those people who disagree with evolution 
and global warming.

It's science time.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


On 12/21/09 11:24 PM, "Bret Watson" <lists at ticm.com> wrote:

At 08:01 AM 22/12/2009, Mike Boberski wrote:
> Hi Gary.
>
> To play devil's advocate:
>
> Current organizational practices aside, I would say that
> organizations really need more and better toolkits and standards for
> developers to use, than they need more and better committees.

I'd have to agree - whilst SSG is probably a great opportunity for a
management consultant, it rarely delivers anything directly useful.
In fact I would go as far as to say that if a SSG delivers something
useful, the organisation was already ready to deliver the changes.
Committees rarely take direct ownership of a problem.

Toolsets may or may not deliver results - depending on if there are
ways around them - too often you hear the excuse "we can't waste time
with that - the business won't wait"

However toolset will work if you have a good properly supported
securty mgmt function :)

Cheers

Bret