Many folks have talked about certification of individuals but is there merit in noodling the notion of a security maturity model? What if end-customers could rank their software vendors in a transparent manner in the same way that outsourcing firms pursue CMMi?
The notion of third-party assessors that determine this form of certification could be supplemental revenue for those who are employed by consulting firms. Could be similar to SCRUMAlliance certification if you prefer something lighter weight. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ljknews Sent: Wednesday, July 25, 2007 10:23 PM To: SC-L@securecoding.org Subject: Re: [SC-L] how far we still need to go At 2:03 AM +0100 7/26/07, Dinis Cruz wrote: > It's a simple economics problem. The moment these companies and >developers lose sales (or market share) because their products require >admin / root privileges to run, is the moment they start to REALLY >support it. For Windows that day might be when they have to run under the new US federal government standard Windows configuration, due out any month now. -- Larry Kilgallen ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________