[Owasp-cmm] Additional thoughts on SAMM

Andy Steingruebl steingra at gmail.com
Sun Oct 5 10:55:52 EDT 2008 

James,

I'm not quite sure how we translate this into some sort of objective
measurable criteria.  Are you serious about bringing this up as a topic for
inclusion, or just saying its something we should think about?

Seems to me that under this standard we'd have to include all sorts of stuff
in a CMM that isn't directly related to delivering secure software.  I even
question whether some of the things that are in the existing SAMM proposal
belong there for all organizations, things like infrastructure hardening.

Before we start expanding the scope, I think it would be useful to focus on
the core concepts first.

- Andy

On Sun, Oct 5, 2008 at 6:36 AM, <james at architectbook.com> wrote:

> Enterprises aren't truly secure unless they also work to secure their
> ecosystem. This could include not only procured software but those in the
> value chain before them. For example, imagine a scenario where you go to
> your local insurance agent to purchase auto insurance and they recommend a
> policy from AIG. Now, if your personally identifiable information gets lost,
> you would probably blame AIG, since you couldn't prove that it was really
> your insurance agent at fault. The same scenario would occur if you switched
> AIG with Aetna and insurance agent with doctor, and so on.
>
> So, the way that maturity needs to be measured in this scenario is the
> notion of the Sensei. A sensei is defined as an outside master or teacher
> that assists in implementing lean practices. The highest level of maturity
> is for organizations that value imparting their knowledge upon others. Do
> they teach others about the importance of security at all levels? Do they
> sponsor organizations such as OWASP? maturity shouldn't be strictly measured
> on internal insular criteria
>
> _______________________________________________
> Owasp-cmm mailing list
> Owasp-cmm at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cmm
>
>


-- 
Andy Steingruebl
steingra at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cmm/attachments/20081005/43807b6c/attachment.html

More information about the Owasp-cmm mailing list