Re: The Organic Secure SDLC

[Gary McGraw <gem () cigital com>]

Try this on for size.  JPMC already uses it in practice.

vBSIMM (BSIMM for Vendors)
<http://www.informit.com/articles/article.aspx?p=1703668> (April 12, 2011)



gem


On 7/18/11 8:35 PM, "Anurag Agarwal" <anurag.agarwal () yahoo com> wrote:

> Gary - So my next question is, can we come up with something like BSIMM
> lite, which small or medium size companies with limited resources can use?
> Or maybe pluggable modules, which different companies can pick and choose
> depending on the time and resources they can allocate to it?
>
> My thought process is since we have a comprehensive list of activities
> outlined in BSIMM, we should be able to utilize them unless it is
> something
> which won't work across various types of organizations or dev teams with
> limited resources or other such variables.
>
> What Rohit has outlined in his post is a very small subset of activities
> in
> a secure SDLC methodology. Agreed, most of the companies are allocating
> resources in those activities but that should not be the standard.
> Activities like static code analysis or vulnerability assessment should be
> used to validate threat mitigation and not a source of identifying them,
> since it gives them a false sense of security. The other key element I
> think
> which is required now is the measurement criteria to generate metrics. (I
> don't remember exactly what level of metrics criterias are defined in
> BSIMM)
> but they are a must for a company to assess if they are maturing in their
> process or not otherwise most of the time it ends up being an academic
> exercise and gets bypassed as the deadlines gets near.
>
> Thoughts?
>
> Thanks,
>
> Anurag Agarwal
> MyAppSecurity Inc
> Cell - 919-244-0803
> Email - anurag () myappsecurity com
> Website - http://www.myappsecurity.com
> Blog - http://myappsecurity.blogspot.com
> LinkedIn - http://www.linkedin.com/in/myappsecurity
>
>
> -----Original Message-----
> From: Gary McGraw [mailto:gem () cigital com]
> Sent: Monday, July 18, 2011 6:40 PM
> To: Anurag Agarwal; 'Rohit Sethi'; Secure Code Mailing List
> Subject: Re: [SC-L] The Organic Secure SDLC
>
> hi anurag,
>
> The main difference is it is a prescriptive model based on experience
> (opinion?).  The BSIMM is a descriptive model based on observation of over
> 40 firms.  Stay tuned for BSIMM3 in September-ish.
>
> gem
>
> p.s. See Cargo Cult Computer
> Security<http://www.informit.com/articles/article.aspx?p=1562220> (January
> 28, 2010) for more on prescriptive versus descriptive models.
>
> From: Anurag Agarwal
> <anurag.agarwal () yahoo com<mailto:anurag.agarwal () yahoo com>>
> Date: Mon, 18 Jul 2011 15:48:50 -0400
> To: 'Rohit Sethi' <rklists () gmail com<mailto:rklists () gmail com>>, Secure
> Code
> Mailing List <SC-L () securecoding org<mailto:SC-L () securecoding org>>
> Subject: Re: [SC-L] The Organic Secure SDLC
>
> Rohit - How is this different from BSIMM?
>
> Thanks,
>
> Anurag Agarwal
> MyAppSecurity Inc
> Cell - 919-244-0803
> Email - anurag () myappsecurity com<mailto:anurag () myappsecurity com>
> Website - http://www.myappsecurity.com
> Blog - http://myappsecurity.blogspot.com
> LinkedIn - http://www.linkedin.com/in/myappsecurity
>
> From: sc-l-bounces () securecoding org<mailto:sc-l-bounces () securecoding org>
> [mailto:sc-l-bounces () securecoding org] On Behalf Of Rohit Sethi
> Sent: Monday, July 18, 2011 2:45 PM
> To: Secure Code Mailing List
> Subject: [SC-L] The Organic Secure SDLC
>
> Hi all,
>
> Over the years we've had the opportunity to see the evolution of security
> in
> software development life cycles (SDLC) at many organizations. We've
> started
> to see patterns in how things evolve from a path of least resistance: from
> the bare minimum of production penetration testing through to security in
> requirements & QA.
>
> In order to help us assess where an organization stands in terms of
> application security maturity, we developed the Organic Secure SDLC model:
> http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cy
> cl
> e-9-steps/
>
> If you're an actual practitioner who has lived through developing a secure
> SDLC I'd love to hear your thoughts about the model's accuracy /
> relevancy.
>
> If you know of any practical whitepapers / articles that might be of use
> to
> somebody responsible for moving to the next in this model then please let
> me
> know.
>
> Cheers,
>
> --
> Rohit Sethi
> SD Elements
> http://www.sdelements.com
> twitter: rksethi


_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________