Re: BSIMM3 lives

["Steven M. Christey" <coley () linus mitre org>]

Gary,

Congratulations to you, Brian, Sammy, and the rest of the BSIMM3 
community!

I have a few questions:

1) Was any analysis done to ensure that the 3 levels are consistent
   from a maturity perspective - for example, if an organization
   performed an activity at level 2, that there was a high chance that
   it also performed many of the level-1 activities?  For example,
   many T2.x activities were done by more organizations than their
   counterpart T1.x activities, and there's a similar pattern with
   some SR2.x versus SR1.x.

2) Any thoughts on why the financial services vertical scored
   noticeably lower than ISVs on Code Review, Architectural Analysis,
   etc.?  Maybe ISVs have a better "infrastructure" for launching
   these activities because code development is a core aspect of
   their business?

3) The wording about OWASP ESAPI in SFD2.1 is unclear: "Generic open
   source software security architectures including OWASP ESAPI should
   not be considered secure out of the box."  Does Struts, mentioned
   earlier in the paragraph, also fall under the category of "not
   secure out of the box?"  Are you saying that developers must be
   careful in adopting security middleware?


- Steve
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________