Secure Coding mailing list archives
Re: BSIMM3 lives
From: "Steven M. Christey" <coley () linus mitre org>
Date: Sat, 15 Oct 2011 17:45:07 -0400 (EDT)
Gary,Congratulations to you, Brian, Sammy, and the rest of the BSIMM3 community!
I have a few questions: 1) Was any analysis done to ensure that the 3 levels are consistent from a maturity perspective - for example, if an organization performed an activity at level 2, that there was a high chance that it also performed many of the level-1 activities? For example, many T2.x activities were done by more organizations than their counterpart T1.x activities, and there's a similar pattern with some SR2.x versus SR1.x. 2) Any thoughts on why the financial services vertical scored noticeably lower than ISVs on Code Review, Architectural Analysis, etc.? Maybe ISVs have a better "infrastructure" for launching these activities because code development is a core aspect of their business? 3) The wording about OWASP ESAPI in SFD2.1 is unclear: "Generic open source software security architectures including OWASP ESAPI should not be considered secure out of the box." Does Struts, mentioned earlier in the paragraph, also fall under the category of "not secure out of the box?" Are you saying that developers must be careful in adopting security middleware? - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Re: BSIMM3 lives Steven M. Christey (Oct 15)
- Re: BSIMM3 lives Chris Wysopal (Oct 17)
- Re: BSIMM3 lives Gary McGraw (Oct 18)
- Re: BSIMM3 lives Gary McGraw (Oct 18)
- Re: BSIMM3 lives Kevin W. Wall (Oct 20)
- Re: BSIMM3 lives Gary McGraw (Oct 21)
- Re: BSIMM3 lives Greg Beeley (Oct 22)
- Re: BSIMM3 lives Kevin W. Wall (Oct 20)
- Re: BSIMM3 lives Chris Wysopal (Oct 17)