Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

informIT: Efficiency and effectiveness of software security practices

From: Gary McGraw <gem () cigital com>
Date: Wed, 29 Dec 2010 10:21:36 -0500
hi sc-l,

In November we held a BSIMM Community Conference which 20 of the 32 BSIMM2 participating firms attended (see 
http://bsimm.com).  The conference was fantastic 
<http://www.cigital.com/justiceleague/2010/11/12/bsimm-community-conference/>.  During the conference we included a 
workshop on efficiency and effectiveness where we gathered data about how software security initiative executives set 
their practice mix to achieve the greatest success.  Sammy and I just wrote up a short article with the data and some 
cursory analysis:

Software [In]security: Driving Efficiency and Effectiveness in Software Security
http://www.informit.com/articles/article.aspx?p=1671924

Our most interesting observation:
…effort in Penetration Testing starts out very high in young initiatives just getting started and decreases 
dramatically as software security initiatives get older.  …there's also an interesting bulge in Architecture Analysis 
and Code Review in the middle "adolescent" bucket. …Practices in older organizations are more evenly balanced than 
young initiatives or adolescent initiatives.

We've really only scratched the surface of the practice-mix question with this data set.  Plenty of work remains.  (I 
think Jeremiah will like the spend data though.)

Your comments, feedback, and use of the data are welcome.

Merry new year everybody.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: