[Owasp-leaders] WSJ: Software Security

Tom Brennan - OWASP tomb at owasp.org
Mon Mar 9 11:29:24 EDT 2009

Great work Jeremy - see you Friday in DC

Any questions, give me a call at 973-202-0122

-----Original Message-----
From: Jeremy Epstein <jeremy.j.epstein at gmail.com>

Date: Mon, 9 Mar 2009 10:25:14 
To: <owasp-leaders at lists.owasp.org>
Subject: Re: [Owasp-leaders] WSJ: Software Security

Gary's study of what companies do overlapped (both in goals and time)
my study focused exclusively on software vendors (see mine at
- I didn't have a PR machine).  Mine was less rigorous than his, with
different goals, but substantial overlap.

The key point I want to make is that there are software vendors that
have dedicated software security teams, and software assurance
processes, that Gary is NOT aware of.  Unfortunately, I can't tell him
who they are, because I promised anonymity to each of the participants
in my study.  (Yes, I asked for permission to release the names of the
companies to Gary, but generally did not get that permission.)  So
while Gary's effort is interesting and useful, I'd take it with a
grain of salt - while it's portrayed as being the "top 9 companies",
it's more like "the top 9 that Gary knows about".

I'm guessing that there are also other industries that have software
security teams.  In particular, to address one of the comments on this
list, I believe there are software security teams in the
pharmaceutical industry, which Gary did not include in his study.  And
I'd expect that at least some of them use static analysis as part of
their recipe.  I intentionally restricted my study to the packaged
software industry, so I didn't include them in my study either - or
else I'd be a lot more convinced as to whether they have software
security programs.

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the OWASP-Leaders mailing list