Secure Coding mailing list archives
[SAMM] NIST SP 800-37
From: James.McGovern at thehartford.com (McGovern, James F. (eBusiness))
Date: Wed, 3 Feb 2010 15:45:21 -0500
I like your take. Maybe the SAMM team could provide formal commentary to NIST in this regard. I suspect that in not providing feedback, it will be published and those who read it at a later date will get confused as to the value proposition of each aka more disturbances in the force... ________________________________ From: samm-bounces at lists.owasp.org [mailto:samm-bounces at lists.owasp.org] On Behalf Of Bart De Win Sent: Wednesday, February 03, 2010 2:51 PM To: Software Assurance Maturity Model (SAMM); SecureCode Mailing List Subject: Re: [SAMM] NIST SP 800-37 James, I'm not familiar (yet) with the details of SP800-37. However, to add another NIST SP document to this discussion, SP 800-64 (R2 of October 2008) is definitely also worth looking at in the secure development lifecycle context. Imho, from a bird's eye view, the main differences between SP 800-64 and SAMM/BSIMM are: - The NIST model is a process model, while SAMM and BSIMM are maturity models. This is a fundamentally different. In that sense, it is more related to the SDL/CLASP/TouchPoint type of models. - In the same line of reasoning, the NIST model is waterfall-based, while SAMM and BSIMM are actually process agnostic (they can be applied to waterfall, agile and other types of processes) - NIST SP 800-64 focuses much more on deployment, operations and disposal than any of the other models that I've seen so far. I'd be also interested in hearing any other opinions about this one. Best regards, Bart. ------------ Bart De Win CSSLP Principal Consultant, CC Leader Application Assurance Tel.: +32 (0)9 243.10.20, Mob: +32 (0)479 46.79.57 "Ascure, demonstrating excellence in operational risk management" Looking for world class education? Check-out www.ascureacademy.eu <http://www.ascureacademy.eu/> and www.bcmacademy.be <http://www.ascureacademy.eu/> . ________________________________ This message may be confidential. It is also solely for the use of the individual or group to whom it is addressed. If you have received it by mistake, please let us know by e-mail reply. Ascure is not liable for any direct or indirect damage arising from errors, inaccuracies or any loss in the message, from unauthorized use, disclosure, copying or alteration of it. For the complete version or other languages of this disclaimer see http://www.ascure.com/disclaimer.htm <http://www.ascure.com/disclaimer.htm> From: samm-bounces at lists.owasp.org [mailto:samm-bounces at lists.owasp.org] On Behalf Of McGovern, James F. (eBusiness) Sent: woensdag 3 februari 2010 19:13 To: Secure Code Mailing List; Software Assurance Maturity Model (SAMM) Subject: [SAMM] NIST SP 800-37 NIST has created a draft document entitled: Guide for applying risk management framework to federal information systems: a security lifecycle approach. Curious to know if anyone has identified gaps, differences in opinion, etc between NIST and how either SAMM or BSIMM would define the same? ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************ ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://krvw.com/pipermail/sc-l/attachments/20100203/73053c5b/attachment-0001.htm>
Current thread:
- NIST SP 800-37 McGovern, James F. (eBusiness) (Feb 03)
- NIST SP 800-37 Benjamin Tomhave (Feb 03)
- Message not available
- [SAMM] NIST SP 800-37 McGovern, James F. (eBusiness) (Feb 03)