[SAMM] SAMM model - Fixing phase

Christian Heinrich christian.heinrich at owasp.org
Tue Jan 18 01:49:19 EST 2011


Matteo,

On Tue, Jan 18, 2011 at 4:36 AM, Matteo Meucci
<matteo.meucci at mindedsecurity.com> wrote:
> Then, I did a "SAMM assessment" for a Company here in Italy and I'd like
> to discuss a new item that maybe we can add to the list of the Security
> Practices or maybe improve the VulnMng practice.
>
> I see many Companies that do Security Testing but not fixing at all, or
> some basic fix, but they have a security response team to manage
> vulnerabilities after an attack. IMO the fixing phase before that the
> app is deployed is really important to evaluate the maturity of the
> sw-dev-proc.
> We analize that in the Vulnerability Management practice, but in the
> model we did not focus on how the Company create a fixing phase after a
> Code Review or Penetration Test. Reporting this is interesting to
> evaluate the efficient of an outsourcer: the time they spent to fix a
> bug and how they fix it is interesting for the SAMM model.

This is also addressed by BSIMM2 i.e. PT1.2 "Feed results to defect
management and mitigation system"

The intented "executive" audience for a maturity model would not want
to be drawn into the low level detail i.e. politics of "security" bugs
vs other bugs e.g.
http://www.qasec.com/2011/01/tips-for-tracking-security-related-defects-in-your-bugtracker.html
http://article.gmane.org/gmane.linux.kernel/706950

Measuring the timeline is more subjective due to politics e.g.
http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html
then http://zerodayinitiative.com/advisories/upcoming/


-- 
Regards,
Christian Heinrich
http://www.owasp.org/index.php/user:cmlh


More information about the SAMM mailing list