Hi Stephen, I agree that would be interesting. While we have data at the firm level for all BSIMM participants, and at the BU level for many BSIMM participants, we don't formally capture data on development methodology (as opposed to software security activities) for each development team (which may number well into the double digits for many BSIMM participants).
Also, in nearly all cases, it would be very hard to characterize an entire firm or even an entire business unit in larger firms as "Agile" or not. Many larger firms use "Agile" for only a small percentage of projects (e.g., for mobile or cloud things, if they're a traditional waterfall shop and are just evolving into new technology stacks). Even those firms who "do Agile" often do it in different ways across different development teams, even in the same business unit. The teams with very large applications or critical applications that go through more testing might do 3-4 week sprints while others do 2-week sprints. However, they might be using exactly the same process, so I'm not sure the frequency of deployment would work as the measure of "agility." As for writing "Agile" rather than Agile above, firms and teams who call themselves "Agile" mean many different things with that word. I've run into some teams who feel very agile in their quarterly development cycles and at least one that "scrums" its way through various parts of their waterfall process. Cheers, --Sammy. -----Original Message----- From: SC-L [mailto:sc-l-boun...@securecoding.org] On Behalf Of Stephen de Vries Sent: Tuesday, December 17, 2013 5:21 AM To: Gary McGraw Cc: Secure Code Mailing List Subject: Re: [SC-L] BSIMM-V Article in Application Development Times On 13 Dec 2013, at 22:51, Gary McGraw <g...@cigital.com> wrote: > > From time to time we talk about getting to the dev community here. This > article is at least in the right publication! > > Read it and pass it on: > http://adtmag.com/blogs/watersworks/2013/12/bsimm-v-released.aspx Hi Gary, In the current BSIMM-V dataset is it possible to narrow the data down to only organisations practising Agile dev? I think it would be interesting to see which BSIMM activities are popular with agile houses, and which not. Ideally, it would be nice to not only differentiate between Agile and non-agile, but different degrees of agile based on the length of iterations and/or the frequency of deployments. E.g. less-agile = 3 month iterations and multi-month deploys, more-agile = continuous delivery with multiple deploys per day. regards, Stephen de Vries http://www.continuumsecurity.net Twitter: @stephendv _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
