Secure Coding mailing list archives
Re: The Organic Secure SDLC
From: Paco Hope <Paco () cigital com>
Date: Tue, 19 Jul 2011 11:24:53 -0400
Jim, You're spot on. BSIMM is not a lifecycle for any company. Heck, it's not even a set of recommendations. It's simply a way to measure what a firm does. It's a model formulated from observations about how some firms' implement software security in their lifecycles. You'll never catch us calling the BSIMM a lifecycle. As for not translating into the SMB market, I don't understand that. Unlike, say prescriptive standards which say "thou shalt do X" regardless of how big you are, the BSIMM measures maturity of what a firm actually does. There is no reason an SMB could not measure the maturity of their effort using the BSIMM. Maturity is not a function of size. A team of 10 developers might score higher on various criteria than a multi-national bank that has a whole team of people dedicated to app sec. Maturity is a function of the depth to which one takes a certain activity and their capability within that activity. This isn't Pac-Man, either. The goal is not to get the highest score and an extra man. :) The goal is to put the right level of effort into the right places. A firm can't do that until they know how much effort they're spending on different activities. The BSIMM will illuminate the level of effort. It allows a firm to decide to rebalance and spread the budget/people around across the activities that make sense. Whether that's a team of 10 developers or a team of 1000 developers, the principle is the same. The execution varies. Here's another analogy. You can have a GPS and know your exact coordinates, to within 3 meters, but not know how to get to the airport by car. The BSIMM will tell you your coordinates at the present time. It does not tell you the best way to the airport. It can tell you the crow-fly distance to the airport, but it can't tell you that the airport is where you want to be. Paco Paco, By your same logic I would not consider BSIMM a lifecycle either. It's a thermometer to measure an SDLC against what some some of the largest companies are doing. As others have noted, BSIMM does not translate well into the SMB market where most software is written. Don't get me wrong, BSIMM is very interesting data and is useful. But a comprehensive secure software lifecycle for every company it is not. - Jim Manico On Jul 19, 2011, at 9:35 AM, Paco Hope <Paco () cigital com<mailto:Paco () cigital com>> wrote: Think of the BSIMM like a thermometer. It _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- The Organic Secure SDLC Rohit Sethi (Jul 18)
- Re: The Organic Secure SDLC Anurag Agarwal (Jul 18)
- Re: The Organic Secure SDLC Gary McGraw (Jul 19)
- Re: The Organic Secure SDLC Anurag Agarwal (Jul 19)
- Re: The Organic Secure SDLC Gary McGraw (Jul 19)
- Re: The Organic Secure SDLC Rohit Sethi (Jul 19)
- Re: The Organic Secure SDLC Paco Hope (Jul 19)
- Re: The Organic Secure SDLC James Manico (Jul 19)
- Re: The Organic Secure SDLC Paco Hope (Jul 19)
- The Organic Secure SDLC John Steven (Jul 20)
- Re: The Organic Secure SDLC Rohit Sethi (Jul 20)
- Message not available
- Re: The Organic Secure SDLC Rohit Sethi (Aug 11)
- Re: The Organic Secure SDLC Gary McGraw (Jul 19)
- Re: The Organic Secure SDLC Anurag Agarwal (Jul 18)
- Re: The Organic Secure SDLC Rohit Sethi (Jul 19)
- Message not available
- Re: The Organic Secure SDLC Rohit Sethi (Jul 19)
- Re: The Organic Secure SDLC Rohit Sethi (Jul 19)