[SAMM] NIST SP 800-37

Bart De Win Bart.DeWin at ascure.com
Wed Feb 3 14:50:42 EST 2010 

James,

I'm not familiar (yet) with the details of SP800-37.

However, to add another NIST SP document to this discussion, SP 800-64 (R2 of October 2008) is definitely also worth looking at in the secure development lifecycle context. Imho, from a bird's eye view, the main differences between SP 800-64 and SAMM/BSIMM are:

-          The NIST model is a process model, while SAMM and BSIMM are maturity models. This is a fundamentally different. In that sense, it is more related to the SDL/CLASP/TouchPoint type of models.

-          In the same line of reasoning, the NIST model is waterfall-based, while SAMM and BSIMM are actually process agnostic (they can be applied to waterfall, agile and other types of processes)

-          NIST SP 800-64 focuses much more on deployment, operations and disposal than any of the other models that I've seen so far.

I'd be also interested in hearing any other opinions about this one.


Best regards,
Bart.

------------
Bart De Win CSSLP
Principal Consultant, CC Leader Application Assurance
Tel.: +32 (0)9 243.10.20, Mob: +32 (0)479 46.79.57

"Ascure, demonstrating excellence in operational risk management"
Looking for world class education? Check-out www.ascureacademy.eu<http://www.ascureacademy.eu/> and www.bcmacademy.be<http://www.ascureacademy.eu/>.
________________________________
This message may be confidential. It is also solely for the use of the individual or group to whom it is addressed. If you have received it by mistake, please let us know by e-mail reply. Ascure is not liable for any direct or indirect damage arising from errors, inaccuracies or any loss in the message, from unauthorized use, disclosure, copying or alteration of it.
For the complete version or other languages of this disclaimer see http://www.ascure.com/disclaimer.htm

From: samm-bounces at lists.owasp.org [mailto:samm-bounces at lists.owasp.org] On Behalf Of McGovern, James F. (eBusiness)
Sent: woensdag 3 februari 2010 19:13
To: Secure Code Mailing List; Software Assurance Maturity Model (SAMM)
Subject: [SAMM] NIST SP 800-37


NIST has created a draft document entitled: Guide for applying risk management framework to federal information systems: a security lifecycle approach. Curious to know if anyone has identified gaps, differences in opinion, etc between NIST and how either SAMM or BSIMM would define the same?

************************************************************

This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.

************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/samm/attachments/20100203/b820cbde/attachment-0001.html

More information about the SAMM mailing list