[Owasp-leaders] WSJ: Software Security

Justin Clarke justin at justinclarke.com
Thu Mar 5 16:01:48 EST 2009


It is and it isn¹t. What we don¹t have in this area (software security) is
any kind of study as to what works. We have a lot of collected wisdom, but
no real academic study of what works best/better. My understanding is that
the BSI-MM looks to capture how those 9 companies have done it (presumably
successfully) and derive the successful practices they do as a model other
people could use.

Also related is OpenSAMM (Software Assurance Maturity Model), which is/will
be an OWASP project (http://www.opensamm.org) which is structured in a
similar way.

Uses for these?
* providing a framework for mapping back what you¹re doing in an
initiative... Handy for explaining to management/stakeholders how disparate
efforts in different areas support the secure software initiative
* measuring how you¹re going (i.e. A baseline) and then using it to plan
where you¹re going 
* assessing a software development process against an industry ³best
practice² - i.e. For internal auditors

And probably many others... Very much for looking at the process as opposed
to a deliverable like ASVS I think...

Cheers

Justin


On 05/03/2009 18:26, "Jim Manico" <jim.manico at aspectsecurity.com> wrote:

>> > Would be cool if OWASP Bloggers provided their commentary...
> 
> BSI looks VERY high level doc to help a large org "plan a software security
> initiative". Stuff like:
>  
> Ensure host and network security basics are in place. The organization
> provides a solid foundation for software by ensuring that host and network
> security basics are in place. It is common for operations security teams to be
> responsible for duties such as patching operating systems and maintaining
> firewalls.
>  
> Not a lot of gritty detail.
>  
> I know that this and http://www.owasp.org/index.php/ASVS  try to solve
> different problems, but ASVS seems to scratch the itch much more than BSI.
>  
> This is just my initial reaction. I'm interviewing Chess over this next week
> and will approach the interview with an open mind.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090305/3efc4fbe/attachment.html 


More information about the OWASP-Leaders mailing list