[SAMM] NIST SP 800-37

[James.McGovern at thehartford.com (McGovern, James F. (eBusiness))]

I like your take. Maybe the SAMM team could provide formal commentary to
NIST in this regard. I suspect that in not providing feedback, it will
be published and those who read it at a later date will get confused as
to the value proposition of each aka more disturbances in the force...

________________________________

From: samm-bounces at lists.owasp.org [mailto:samm-bounces at lists.owasp.org]
On Behalf Of Bart De Win
Sent: Wednesday, February 03, 2010 2:51 PM
To: Software Assurance Maturity Model (SAMM); SecureCode Mailing List
Subject: Re: [SAMM] NIST SP 800-37



James,

 

I'm not familiar (yet) with the details of SP800-37.

 

However, to add another NIST SP document to this discussion, SP 800-64
(R2 of October 2008) is definitely also worth looking at in the secure
development lifecycle context. Imho, from a bird's eye view, the main
differences between SP 800-64 and SAMM/BSIMM are:

-          The NIST model is a process model, while SAMM and BSIMM are
maturity models. This is a fundamentally different. In that sense, it is
more related to the SDL/CLASP/TouchPoint type of models.

-          In the same line of reasoning, the NIST model is
waterfall-based, while SAMM and BSIMM are actually process agnostic
(they can be applied to waterfall, agile and other types of processes)

-          NIST SP 800-64 focuses much more on deployment, operations
and disposal than any of the other models that I've seen so far.

 

I'd be also interested in hearing any other opinions about this one.

 

Best regards,

Bart.

 

------------
Bart De Win CSSLP
Principal Consultant, CC Leader Application Assurance
Tel.: +32 (0)9 243.10.20, Mob: +32 (0)479 46.79.57

"Ascure, demonstrating excellence in operational risk management"

Looking for world class education? Check-out www.ascureacademy.eu
<http://www.ascureacademy.eu/>  and www.bcmacademy.be
<http://www.ascureacademy.eu/> .

________________________________

This message may be confidential. It is also solely for the use of the
individual or group to whom it is addressed. If you have received it by
mistake, please let us know by e-mail reply. Ascure is not liable for
any direct or indirect damage arising from errors, inaccuracies or any
loss in the message, from unauthorized use, disclosure, copying or
alteration of it. 

For the complete version or other languages of this disclaimer see
http://www.ascure.com/disclaimer.htm
<http://www.ascure.com/disclaimer.htm>  

 

From: samm-bounces at lists.owasp.org [mailto:samm-bounces at lists.owasp.org]
On Behalf Of McGovern, James F. (eBusiness)
Sent: woensdag 3 februari 2010 19:13
To: Secure Code Mailing List; Software Assurance Maturity Model (SAMM)
Subject: [SAMM] NIST SP 800-37

 

NIST has created a draft document entitled: Guide for applying risk
management framework to federal information systems: a security
lifecycle approach. Curious to know if anyone has identified gaps,
differences in opinion, etc between NIST and how either SAMM or BSIMM
would define the same?

************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If
you are not the intended recipient, please notify the sender immediately
by return e-mail, delete this communication and destroy all copies.
************************************************************
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, 
confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, 
dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender 
immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://krvw.com/pipermail/sc-l/attachments/20100203/73053c5b/attachment-0001.htm>