One thing that I am firm in my belief is that process is not a substitute for 
competence. Imagine taking lots of overweight IT guys and training them to ride 
a horse. That doesn't mean that they will go on to become successful horse 
jockeys and you would be dumb to bet on them.
In terms of CMMi, my thought says that buyers of consulting services and 
enterprise software need an independent way of quantifying what they are buying 
from a security perspective. While the logic used in outsourcing is flawed, 
buyers still prefer outsourcing firms that have higher levels of CMMI than 
those that don't. 
In the same way this listserv attempts to help folks write secure software, we 
need a way to help folks also procure secure software and stealing some aspects 
of CMMi while compromising some level of integrity will have lift in the long 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goertzel, Karen
Sent: Tuesday, August 07, 2007 9:39 AM
Subject: Re: [SC-L] Software process improvement produces secure software?

I've always had a question about this as well; specifically, what is really 
meant by "adding security to a CMM"?

I've always felt that the level at which the software (or system) process is 
defined by a CMM is too high and too abstract for the addition of security 
activities to be particularly meaningful.

My feeling is that a CMM is best used as a means of ensuring that the more 
detailed life cycle process is implemented in a disciplined manner, and that 
the amount of benefit, in terms of improvement of whatever property one is 
trying to improve - quality, reliability, security, safety - of the 
system/software that results from the process can be measured.

Where the actual security activities need to be defined and added are to the 
life cycle methodology. At best, adding security to a CMM can provide a very 
high level framework for helping someone who is "shopping" for a life cycle 
methodology know what to look for in that methodology. Is a CMM necessary for 
that purpose? I'm not convinced that it is.

I think what is likely to be more effective is a change in outlook by the 
practitioners who will be using the life cycle methodology. Their outlook needs 
to change so that a single question is asked before any choice or decision is 
made: What are the security implications of the choice/decision?

Of course, there's much more to it than just asking that question. And that's 
the reason we need to train developers, testers, etc. to (1) understand what 
"security" means, both at the software and system levels; (2) visualise and 
recognise the possible impact(s) each of their choices/decisions could have on 
the security of the system they are building (before the fact); (3) recognise 
the impacts each of their choices/decisions has had on the security of the 
system they have built (after the fact). Tools and techniques to help 
developers do the second and third of these are proliferating (e.g., threat 
modeling, attack trees, etc. for before-the-fact; analysis and testing tools 
for after-the-fact). But in the end, I believe the #1 factor that will 
contribute to the increased security of software is the developer's mentality. 
A security-aware...and more importantly, a security-*concerned&...developer is 
more likely to (1) avoid making bad choices and decisions, and (2) to take an 
interest in, and pursue becoming, knowledgeable enough to correct bad choices 
that he/she did not avoid making earlier.

Karen Mercedes Goertzel, CISSP
Booz Allen Hamilton

-----Original Message-----
From: [EMAIL PROTECTED] on behalf of Francisco Nunes
Sent: Tue 07-Aug-07 07:01
Subject: [SC-L] Software process improvement produces secure software?

Dear list members.

In june 2007, I had an interesting conversation with
Mr. Will Hayes from SEI during the Brazilian Symposium
on Software Quality. It was a great experience and I
am very grateful for this.

During our conversation, I made a question to Mr.
Hayes similar to this: "Is it possible that only
software development process improvements can produce
secure software?"

The scenario was only based on CMMI without security

His answer to this question was "YES". My answer was

His answer made me confuse and I had no arguments,
mainly, because my professional experience in software
process does not compare to Mr. Haye's experience.

Unfortunately, I also haven't found any statistics
which could answer this question. Please, if there is
one, let me know!

So, how about you, list members? What are your answers
to the question above?

I will try to organize your answers and present the
final result.

Thank you.

Yours faithfully,
Francisco José Barreto Nunes.

      Alertas do Yahoo! Mail em seu celular. Saiba mais em
Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to