hi sc-l,

This list is made up of a bunch of practitioners (more than a thousand from 
what Ken tells me), and we collectively have many different ways of promoting 
software security in our companies and our clients.  The BSIMM study 
<http://bsi-mm.com> focuses attention on software security in large 
organizations and just at the moment covers the work of 1554 full time 
employees working every day in 26 software security initiatives.  One 
phenomenon we observed in the BSIMM was that every large initiative has a 
Software Security Group (SSG) to carry out and lead software security 

I wrote about our observations around SSGs in this month's informIT article:


Simply put, an SSG is a critical part of a software security initiative in all 
companies with more than 100 developers.  (We're still not sure about SSGs in 
smaller organizations, but the BSIMM Begin data (now hovering at 75 firms) may 
be revealing.)

Cigital's SSG was formed in 1997 (with John Viega, Brad Arkin, and me as 
founding members).  Since its inception, we've helped plan, staff, and carry 
out ten large software security initiatives in customer firms.  One of the most 
important first tasks is establishing an SSG.

Merry New Year everybody.


company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to