Re: The Organic Secure SDLC

[Paco Hope <Paco () cigital com>]

Jim,

You're spot on. BSIMM is not a lifecycle for any company. Heck, it's not even a set of recommendations. It's simply a 
way to measure what a firm does. It's a model formulated from observations about how some firms' implement software 
security in their lifecycles. You'll never catch us calling the BSIMM a lifecycle.

As for not translating into the SMB market, I don't understand that. Unlike, say prescriptive standards which say "thou 
shalt do X" regardless of how big you are, the BSIMM measures maturity of what a firm actually does. There is no reason 
an SMB could not measure the maturity of their effort using the BSIMM.

Maturity is not a function of size. A team of 10 developers might score higher on various criteria than a 
multi-national bank that has a whole team of people dedicated to app sec. Maturity is a function of the depth to which 
one takes a certain activity and their capability within that activity.

This isn't Pac-Man, either. The goal is not to get the highest score and an extra man. :) The goal is to put the right 
level of effort into the right places. A firm can't do that until they know how much effort they're spending on 
different activities. The BSIMM will illuminate the level of effort. It allows a firm to decide to rebalance and spread 
the budget/people around across the activities that make sense. Whether that's a team of 10 developers or a team of 
1000 developers, the principle is the same. The execution varies.

Here's another analogy. You can have a GPS and know your exact coordinates, to within 3 meters, but not know how to get 
to the airport by car. The BSIMM will tell you your coordinates at the present time. It does not tell you the best way 
to the airport. It can tell you the crow-fly distance to the airport, but it can't tell you that the airport is where 
you want to be.

Paco


Paco,

By your same logic I would not consider BSIMM a lifecycle either. It's
a thermometer to measure an SDLC against what some some of the largest
companies are doing. As others have noted, BSIMM  does not translate
well into the SMB market where most software is written. Don't get me
wrong, BSIMM is very interesting data and is useful. But a
comprehensive secure software lifecycle for every company it is not.

- Jim Manico

On Jul 19, 2011, at 9:35 AM, Paco Hope <Paco () cigital com<mailto:Paco () cigital com>> wrote:

Think of the
BSIMM like a thermometer. It


_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________