Hey Sammy. How does that pertain to a software security group (SSG) per se? The details below seem to indicate that it was the controls over all that lead to the positive impact.
My main point is that supporting an SSG isn't cost effective for 95% of the organizations out there that are building code. That's why in SAMM, we didn't mandate the structure of the organization and instead concentrated on the functions fulfilled by security guys (regardless of their placement in the org). p. On Tue, Mar 10, 2009 at 7:48 AM, Sammy Migues <smig...@cigital.com> wrote: > Hi all, > > I've received some private questions about the 110 activities in BSIMM > (bsi-mm.com). Since we built the model directly from the data gathered, each > activity is actually being done in one of the nine organizations interviewed. > The question is whether there's any evidence the activities are actually > effective as opposed to simply being done. > > Since we can't publish any private data, I'd like to point folks at this > recent article in Information Security Magazine. Jim Routh, CISO of DTCC (one > of the nine organizations interviewed), is quoted as follows relative to the > impact of software security group activities: > > http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1346974,00.html > > "One of Routh's big wins is inserting security controls early into software > development lifecycle at the DTCC. Vulnerabilities are weeded out well before > they appear in functional code that ends up in production and that has > resulted in close to $2 million in productivity gains on a base of $150 > million spend for development, Routh says. > > "Those gains are exclusively the result of having mature and effective > controls within our system and software development lifecycle," Routh says. > This is a three-year-old initiative that educates and certifies developers in > all DTCC environments in security. Developers are also provided with the > necessary code-scanning tools and consulting and services help to keep > production code close to pristine." > > --Sammy. > > Sammy Migues > Principal, Technology > 703.404.5830 - http://www.cigital.com > Software confidence. Achieved. > smig...@cigital.com > > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > -- ~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~ Pravir Chandra chandra<at>list<dot>org PGP: CE60 0E10 9207 7290 06EB 5107 4032 63FC 338E 16E4 ~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
