[Owasp-leaders] WSJ: Software Security

Pravir Chandra chandra at list.org
Fri Mar 6 19:10:09 EST 2009


Given the sector totals, they're both large financial firms, I think.

p.

~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
Pravir Chandra                      chandra<at>list<dot>org
PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~

-----Original Message-----
From: "Marco M. Morana" <marco.m.morana at gmail.com>

Date: Fri, 6 Mar 2009 18:59:56 
To: <owasp-leaders at lists.owasp.org>
Subject: Re: [Owasp-leaders] WSJ: Software Security


" ...to capture how those 9 companies have done it.."

I counted: (1) Adobe, (2) EMC, (3) Google, (4) Microsoft, (5) QUALCOMM, (6) 
Wells Fargo, and (7) Depository Trust & Clearing Corporation (DTCC)
wonder who the other two "incognitos" are.. just curiosity and math :)

Regards

Marco Morana

----- Original Message ----- 
From: "Pravir Chandra" <chandra at list.org>
To: <owasp-leaders at lists.owasp.org>
Sent: Friday, March 06, 2009 5:55 PM
Subject: Re: [Owasp-leaders] WSJ: Software Security


Relationship between SAMM and BSIMM? That's a question I've been
getting a lot in the past two days :)

http://www.opensamm.org/2009/03/whats-up-with-the-other-model/

Justin, I think you hit it head on. One of the main hangups for many
organizations trying to use the SDLC-based processes (MS SDL, CLASP,
Touchpoints, etc.) is that they (generally) don't have enough guidance
on how to actually implement it and improve. The maturity model based
approach helps a bit by combing in the notion of iterative
improvement.

When I built SAMM, my goal was to (as Jim says) add the gritty detail.
And the feedback I've gotten so far from the Beta release tells me
we're getting there, but have more work to do.

I also wanted to see the same level of detail in the BSI-MM release,
but it wasn't there. Why is that the case? I've got my opinions on it,
but really don't know.

p.

On Thu, Mar 5, 2009 at 1:01 PM, Justin Clarke <justin at justinclarke.com> 
wrote:
> It is and it isn’t. What we don’t have in this area (software security) is
> any kind of study as to what works. We have a lot of collected wisdom, but
> no real academic study of what works best/better. My understanding is that
> the BSI-MM looks to capture how those 9 companies have done it (presumably
> successfully) and derive the successful practices they do as a model other
> people could use.
>
> Also related is OpenSAMM (Software Assurance Maturity Model), which 
> is/will
> be an OWASP project (http://www.opensamm.org) which is structured in a
> similar way.
>
> Uses for these?
>
> providing a framework for mapping back what you’re doing in an 
> initiative...
> Handy for explaining to management/stakeholders how disparate efforts in
> different areas support the secure software initiative
> measuring how you’re going (i.e. A baseline) and then using it to plan 
> where
> you’re going
> assessing a software development process against an industry “best 
> practice”
> - i.e. For internal auditors
>
> And probably many others... Very much for looking at the process as 
> opposed
> to a deliverable like ASVS I think...
>
> Cheers
>
> Justin
>
>
> On 05/03/2009 18:26, "Jim Manico" <jim.manico at aspectsecurity.com> wrote:
>
>> Would be cool if OWASP Bloggers provided their commentary...
>
> BSI looks VERY high level doc to help a large org "plan a software 
> security
> initiative". Stuff like:
>
> Ensure host and network security basics are in place. The organization
> provides a solid foundation for software by ensuring that host and network
> security basics are in place. It is common for operations security teams 
> to
> be responsible for duties such as patching operating systems and 
> maintaining
> firewalls.
>
> Not a lot of gritty detail.
>
> I know that this and http://www.owasp.org/index.php/ASVS try to solve
> different problems, but ASVS seems to scratch the itch much more than BSI.
>
> This is just my initial reaction. I'm interviewing Chess over this next 
> week
> and will approach the interview with an open mind.
>
>_______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>



-- 
~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
Pravir Chandra                      chandra<at>list<dot>org
PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders 

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list