Hi Paco, sorry I suppose I misunderstood BSIMM's data collection methodology. In any event, I think it's clear this model isn't really an alternative to BSIMM - it's a very coarse-grained set of steps that many organizations follow before they begin to take on a more disciplined approach to a secure SDLC.
I think you're right about the name. We really mean this to be the evolution of steps rather than being a lifecycle itself. Thanks for the suggestion - we'll go ahead change it On Tue, Jul 19, 2011 at 10:09 AM, Paco Hope <p...@cigital.com> wrote: > > > To clarify further, this is not meant to be prescriptive or even a set > >of best > > practices. It's simple observation on how many organizations tend to > >evolve if > > secure SDLC is not a major priority. I can't say it's based on hard data > >but we > > have compiled the steps from experiences at several clients and > >validated it with > > several others. > > That is exactly the process we followed with the BSIMM. Some of the BSIMM > participants were well-established, highly capable, and mature. Others, > however, were just getting their security initiatives off the ground. We > didn't cherry-pick the best of the world. We went to firms that were > significant and found out what they were doing. > > > If you were seeking advice on how to build security into the SDLC from > >the ground > > up or looking for a set of activities to perform, you'd be better served > >by looking > > at BSIMM. > > I don't think someone starting from the ground up looks at the BSIMM. If > you do, it's a brainstorming exercise to acquaint yourself with terms and > activities. If you want something prescriptive, Cigital's touchpoints, or > Microsoft's SDL are methodologies that tell you what to do. Think of the > BSIMM like a thermometer. It can tell you the temperature of your SDLC. > What it can't tell you is whether that's the right temperature or not. If > you're making ice cream or if you're making waffles, you have different > temperature needs. BSIMM simply tells you how you're doing right now. (And > over time if you take repeated measurements). > > > The organic secure SDLC misses things, like threat modeling, because in > >our > > observations they don't seem to be done consistently. > > I think this "organic SDLC" is mis-named. It is not a software development > lifecycle. It is, if anything, a description of how security awareness > evolves at some organisations. That is, minimally aware people take the > first step of pen testing production systems. As they grow additionally > more aware, they start looking earlier and earlier in the lifecycle. This > thing itself is not a lifecycle. It's an observation about some > organisations and how they gradually awaken to the need for security in > the SDLC. > > It is entirely possible that "climbing the wall" might happen as the > result of taking a measurement using the BSIMM. Instead of a linear arrow, > I wonder if you want to have time on the X axis and level of effort on the > Y axis. There's a curve here and "climb the wall" is a point in the curve > where the effort is high. > > Anyways, this is just "the order that some firms seem to adopt activities > in their lifecycles." It is not a lifecycle. > > Paco > > -- Rohit Sethi SD Elements http://www.sdelements.com twitter: rksethi
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
