[Owasp-leaders] WSJ: Software Security

Jeremy Epstein jeremy.j.epstein at gmail.com
Mon Mar 9 11:25:14 EDT 2009


Gary's study of what companies do overlapped (both in goals and time)
my study focused exclusively on software vendors (see mine at
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/1093-BSI.html
- I didn't have a PR machine).  Mine was less rigorous than his, with
different goals, but substantial overlap.

The key point I want to make is that there are software vendors that
have dedicated software security teams, and software assurance
processes, that Gary is NOT aware of.  Unfortunately, I can't tell him
who they are, because I promised anonymity to each of the participants
in my study.  (Yes, I asked for permission to release the names of the
companies to Gary, but generally did not get that permission.)  So
while Gary's effort is interesting and useful, I'd take it with a
grain of salt - while it's portrayed as being the "top 9 companies",
it's more like "the top 9 that Gary knows about".

I'm guessing that there are also other industries that have software
security teams.  In particular, to address one of the comments on this
list, I believe there are software security teams in the
pharmaceutical industry, which Gary did not include in his study.  And
I'd expect that at least some of them use static analysis as part of
their recipe.  I intentionally restricted my study to the packaged
software industry, so I didn't include them in my study either - or
else I'd be a lot more convinced as to whether they have software
security programs.

--Jeremy


More information about the OWASP-Leaders mailing list