I'm often asked by folks to compare and contrast some of the various published software security practices, from Microsoft's SDL and OWASP's CLASP through Cigital's "Touchpoint" processes. My own view is that they all offer value and are all worthy of consideration. In his most recent "Justice League" blog entry, Gary McGraw offers his own (obviously biased, as Cigital's CTO) comparison between their own approaches and Microsoft's SDL. You can read what he has to say at: versus-microsofts-sdl/

After recently reading Michael Howard and Steve Lipner's SDL book, I found a lot that I liked -- notably their discussions about testing. I admit that it largely changed my opinion about the value of (smart) fuzzing, for example.

But how about others' experiences? I've found a lot of people feel comfortable with Microsoft's STRIDE / DREAD approaches because they're relatively light weight and an easy first step to take. Anyone here care to offer their own opinions and experiences?


Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to