hi sc-l,
The BSIMM is a sizeable document, so digesting it all at once can be a
challenge. My monthly informIT column this month explains the BSIMM in a much
easier to digest, shorter form. The article is co-authored by Brian and Sammy.
BSIMM: Confessions of an Alchemist
hi sc-l,
In our discipline we have been known to complain about developers who take
little interest in the business context their code will exist in. I believe
we're guilty of the same thing when it comes to politics, the government, and
cybersecurity. Every once in a while, one of us comes
Hi Steve,
Because it is about building a top N list FOR A PARTICULAR ORGANIZATION. You
and I have discussed this many times. The generic top 25 is unlikely to apply
to any particular organization. The notion of using that as a driver for
software purchasing is insane. On the other hand if
On Wed, 18 Mar 2009, Gary McGraw wrote:
Many of the top N lists we encountered were developed through the
consistent use of static analysis tools.
Interesting. Does this mean that their top N lists are less likely to
include design flaws? (though they would be covered under various other
Hi Steve,
Many of the top N lists we encountered were developed through the consistent
use of static analysis tools. After looking at millions of lines of code
(sometimes constantly), a ***real*** top N list of bugs emerges for an
organization. Eradicating number one is an obvious priority.
On Wed, 18 Mar 2009, Gary McGraw wrote:
Because it is about building a top N list FOR A PARTICULAR ORGANIZATION.
You and I have discussed this many times. The generic top 25 is
unlikely to apply to any particular organization. The notion of using
that as a driver for software purchasing is
On Wed, 18 Mar 2009, Gary McGraw wrote:
Both early phases of software security made use of any sort of argument
or 'evidence' to bolster the software security message, and that was
fine given the starting point. We had lots of examples, plenty of good
intuition, and the best of intentions.
Colleagues,
I'm pleased to announce the creation of LAMN, the Legion Against Meaningless
certificatioNs. If you don't have a CISSP, CISM, MCSE, or EIEIO - and
you're proud of it - this group is for you.
You can join LAMN on LinkedIn by searching in the groups area. Unlike so
many other
hi sc-l,
For the third anniversary (!) edition of Silver Bullet, that is episode 36, we
do something different. James McGovern, OWASP maven, and Enterprise
Architect for The Hartford Financial Services Group, interviews me. You may
recall that James responded to the OWASP podcast posting