informIT: third-party software and security

[Gary McGraw <gem () cigital com>]

hi sc-l,

We recently convened a BSIMM Community Conference near Portland, Oregon.  (For a list of the 42 companies participating 
in the BSIMM project, see <http://bsimm.com/community/>.)  The BSIMM project describes and measures the work of 786 SSG 
members, who together with a satellite of 1750 people, have direct impact on the work of 185,316 developers.

As you know, the BSIMM is mostly about SSDL activities and governance.  However, third-party software plays a major 
role in all of the BSIMM firms and is an important risk factor that must be managed.  In addition to talks from member 
firms, the BSIMM Community Conference also featured a workshop on third-party software and security.

Sammy, Brian, and I wrote up the results in an informIT article that was posted today:
http://www.informit.com/articles/article.aspx?p=1809143

The interesting aspect of our workshop was that it was made up approximately of 50% software vendors and 50% financial 
services firms.  This made for a very interesting conversation around vendor control.

As always, we welcome your feedback and thoughts about our findings.

gem




_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________