[Owasp-cmm] Summary of pre-list discussion

mtesauro mtesauro at gmail.com
Tue Aug 5 10:48:34 EDT 2008 

I've noticed that the people in this list don't necessarily match those 
who've discussed this previously.  For those that missed the discussion 
of this before the mail list was created, here's a brief summary of 
what's transpired:

(1)  James.McGovern[at]thehartford.com posted an initial inquiry about 
stating this discussion:

Anyone want to work with me to quickly create the notion of a CMMi like
OWASP maturity model? Analysts and enterprisey types love this stuff...

(2) dan[at]denimgroup.com replied:

We have actually been working on that for a bit and would be happy to
link our work with OWASP. Let me pull together what we have. I am a
little under the gun with some commitments right now so it might take a
couple of days.

(3)  wisseman_sta[at]bah.com added:

Thought folks would be interested in knowing that SEI recently agreed to 
support the integration of assurance considerations into CMMi. An 
industry working group created a draft set of assurance goals and 
practices that harmonize existing practices in the Motorola Secure 
Software Development Model (MSSDM), System Security Engineering 
Capability Maturity Model (SSE-CMM) and experience.  The goals and 
practices were mapped to CMMI-DEV v1.2 and are currently being used to 
create a Focus Topic that can assist other organizations with 
integrating assurance into their continuous process improvement 
efforts.   
(https://buildsecurityin.uscert.gov/swa/downloads/PRM_for_Assurance_to_CMMI.pdf)  


The DHS NCSD Software Assurance Processes and Practices working group 
(https://buildsecurityin.us-cert.gov/swa/procwg.html) is meeting next 
week and would welcome OWASP perspectives/participation. Information on 
the working groups is available here:
 
https://buildsecurityin.us-cert.gov/daisy/bsi/events/982-BSI.html

(4) James.McGovern[at]thehartford.com suggest the creation of a new list 
for this topic

(5)  dan[at]denimgroup.com added this update:

Finally had a few minutes to clean up some of our info on this topic and
stuff it into a wiki page:
<https://www.owasp.org/index.php/Application_Security_Maturity_Model>

Please take a look and see if this is in-line with what you all have
been thinking.  I have more specifics I can contribute but will need to
do some work to sanitize them before I can stick that info up in a
public place.

(6) James.McGovern[at]thehartford.com replied:

 Dan, I am of the belief that lots of folks have their own unique
thoughts on what a maturity model needs to contain. I am awaiting the
creation of the Listserv so that we can invite folks (other than chapter
leaders) to throw in their commentary...

(7)  mark.roxberr[at]owasp.org replied:

Good start for a security MM, though does it dilute the message of OWASP
(web application security, not enterprise application security - even if
that line is blurring)?  Don't get me wrong, as soon as it is polished and
something I can use, I'll put it in front of my clients.

(8)  James.McGovern[at]thehartford.com announces the new list:

 FYI. We now have a listserv for discussing the OWASP maturity model.
Please subscribe here:
https://lists.owasp.org/mailman/listinfo/owasp-cmm Upon joining, please
introduce yourself...

Note:  Missing from this summary were several people emailing to 
indicate their interest in the subject, myself included.

-- Matt Tesauro

More information about the Owasp-cmm mailing list