Re: The Organic Secure SDLC

[Gary McGraw <gem () cigital com>]

hi anurag,

The main difference is it is a prescriptive model based on experience (opinion?).  The BSIMM is a descriptive model 
based on observation of over 40 firms.  Stay tuned for BSIMM3 in September-ish.

gem

p.s. See Cargo Cult Computer Security<http://www.informit.com/articles/article.aspx?p=1562220> (January 28, 2010) for 
more on prescriptive versus descriptive models.

From: Anurag Agarwal <anurag.agarwal () yahoo com<mailto:anurag.agarwal () yahoo com>>
Date: Mon, 18 Jul 2011 15:48:50 -0400
To: 'Rohit Sethi' <rklists () gmail com<mailto:rklists () gmail com>>, Secure Code Mailing List <SC-L () securecoding 
org<mailto:SC-L () securecoding org>>
Subject: Re: [SC-L] The Organic Secure SDLC

Rohit – How is this different from BSIMM?

Thanks,

Anurag Agarwal
MyAppSecurity Inc
Cell - 919-244-0803
Email - anurag () myappsecurity com<mailto:anurag () myappsecurity com>
Website - http://www.myappsecurity.com
Blog - http://myappsecurity.blogspot.com
LinkedIn - http://www.linkedin.com/in/myappsecurity

From: sc-l-bounces () securecoding org<mailto:sc-l-bounces () securecoding org> [mailto:sc-l-bounces () securecoding 
org] On Behalf Of Rohit Sethi
Sent: Monday, July 18, 2011 2:45 PM
To: Secure Code Mailing List
Subject: [SC-L] The Organic Secure SDLC

Hi all,

Over the years we've had the opportunity to see the evolution of security in software development life cycles (SDLC) at 
many organizations. We've started to see patterns in how things evolve from a path of least resistance: from the bare 
minimum of production penetration testing through to security in requirements & QA.

In order to help us assess where an organization stands in terms of application security maturity, we developed the 
Organic Secure SDLC model: http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cycle-9-steps/

If you're an actual practitioner who has lived through developing a secure SDLC I'd love to hear your thoughts about 
the model's accuracy / relevancy.

If you know of any practical whitepapers / articles that might be of use to somebody responsible for moving to the next 
in this model then please let me know.

Cheers,

--
Rohit Sethi
SD Elements
http://www.sdelements.com
twitter: rksethi


_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________