Greetings SC-L,I thought I'd chime in on this, as it very closely relates to my current book project.
On Oct 15, 2008, at 8:31 AM, Gary McGraw (via Kenneth Van Wyk) wrote:
Brian Chess and I have been working hard on a software security framework that we are using in a scientific study of many of the top software security initiatives.
Great work, guys. In some areas, I think it's probably overly simplistic, as some of the practices span more than one domain. (Notably, penetration testing can and should be part of a security testing regimen as well as a deployment testing regimen, IMHO.) But it's a great starting point for going out and gathering real world data on what's being done in the field. More importantly, it's useful at defining what practices should be assessed for a maturity model.
Our plan of action is to interview the people running the top ten large-scale software security initiatives over the next few weeks and then build a maturity model with the resulting data.
Our discipline stands to gain significantly from having a maturity model in place, if for no other reason than to help dev organizations set goals and objectives in their software security efforts.
Pravir et al at OWASP have done a great job at getting one started over there. I also love the idea of using real world data as an initial set of measurements for each maturity level, especially for early version(s) of a maturity model. I think that goes a long way to helping development organizations realistically know what to aspire to--and how to get there--for each maturity level.
In time, however, I'd sure like to see the maturity model advance beyond that and set the bars higher than "just" what's currently being done in practice, and define what *should* be done. That said, starting with a solid framework of practices to measure for each maturity level is the right way to do things.
IMHO, it'll probably be a few years before these efforts bear significant fruit in terms of advancing what is being practiced in the field, but we've got to start somewhere. Kudos.
Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
