[Owasp-leaders] WSJ: Software Security

Pravir Chandra chandra at list.org
Fri Mar 6 17:55:33 EST 2009

Relationship between SAMM and BSIMM? That's a question I've been
getting a lot in the past two days :)


Justin, I think you hit it head on. One of the main hangups for many
organizations trying to use the SDLC-based processes (MS SDL, CLASP,
Touchpoints, etc.) is that they (generally) don't have enough guidance
on how to actually implement it and improve. The maturity model based
approach helps a bit by combing in the notion of iterative

When I built SAMM, my goal was to (as Jim says) add the gritty detail.
And the feedback I've gotten so far from the Beta release tells me
we're getting there, but have more work to do.

I also wanted to see the same level of detail in the BSI-MM release,
but it wasn't there. Why is that the case? I've got my opinions on it,
but really don't know.


On Thu, Mar 5, 2009 at 1:01 PM, Justin Clarke <justin at justinclarke.com> wrote:
> It is and it isn’t. What we don’t have in this area (software security) is
> any kind of study as to what works. We have a lot of collected wisdom, but
> no real academic study of what works best/better. My understanding is that
> the BSI-MM looks to capture how those 9 companies have done it (presumably
> successfully) and derive the successful practices they do as a model other
> people could use.
> Also related is OpenSAMM (Software Assurance Maturity Model), which is/will
> be an OWASP project (http://www.opensamm.org) which is structured in a
> similar way.
> Uses for these?
> providing a framework for mapping back what you’re doing in an initiative...
> Handy for explaining to management/stakeholders how disparate efforts in
> different areas support the secure software initiative
> measuring how you’re going (i.e. A baseline) and then using it to plan where
> you’re going
> assessing a software development process against an industry “best practice”
> - i.e. For internal auditors
> And probably many others... Very much for looking at the process as opposed
> to a deliverable like ASVS I think...
> Cheers
> Justin
> On 05/03/2009 18:26, "Jim Manico" <jim.manico at aspectsecurity.com> wrote:
>> Would be cool if OWASP Bloggers provided their commentary...
> BSI looks VERY high level doc to help a large org "plan a software security
> initiative". Stuff like:
> Ensure host and network security basics are in place. The organization
> provides a solid foundation for software by ensuring that host and network
> security basics are in place. It is common for operations security teams to
> be responsible for duties such as patching operating systems and maintaining
> firewalls.
> Not a lot of gritty detail.
> I know that this and http://www.owasp.org/index.php/ASVS  try to solve
> different problems, but ASVS seems to scratch the itch much more than BSI.
> This is just my initial reaction. I'm interviewing Chess over this next week
> and will approach the interview with an open mind.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
Pravir Chandra                      chandra<at>list<dot>org
PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~

More information about the OWASP-Leaders mailing list