I think, MS is more an example of an ideal, than what the comparatively everyman organization can realistically hope to achieve, basically given resource constraints.
Mike On Mon, Dec 21, 2009 at 8:37 PM, David Ladd <davel...@microsoft.com> wrote: > To be clear - we do both. We automate and standardize to the extent > possible, then advise/adjudicate as necessary for situations that don’t fit > the norm. > > > > Dave > > > > *From:* Mike Boberski [mailto:mike.bober...@gmail.com] > *Sent:* Monday, December 21, 2009 5:22 PM > *To:* Gary McGraw > *Cc:* David Ladd; SC-L@securecoding.org; dustin.sulli...@informit.com > > *Subject:* Re: [SC-L] InformIT: You need an SSG > > > > I dunno, the concept of "SSG" seems overly broad to me. Looking at security > libraries as a feature or a module eliminates the us vs. them paradox. > Adding a new second security group is just twice as confrontational to the > still single development team. > > Mike > > On Mon, Dec 21, 2009 at 7:20 PM, Gary McGraw <g...@cigital.com> wrote: > > Hi mike, > > The BSIMM calls out "security features and design" explicitly, and covers > that good idea. (Though watch out for generic one-size-fits-all solutions.) > An SSG helps with creation, review, and roll out of such. > > Calling an SSG a "committee" is pretty hilarious. I doubt any of the 100 > microsoft SSG members think they are a committee. Hey ladd, how goes the SDL > committee? > > gem > ------------------------------ > > *From*: Mike Boberski > *To*: Gary McGraw > *Cc*: Secure Code Mailing List ; Dustin Sullivan > *Sent*: Mon Dec 21 19:01:37 2009 > *Subject*: Re: [SC-L] InformIT: You need an SSG > > Hi Gary. > > To play devil's advocate: > > Current organizational practices aside, I would say that organizations > really need more and better toolkits and standards for developers to use, > than they need more and better committees. > > A toolkit example that comes to mind, to keep this email short: the > highly-matrixed environment (and actually also the smaller environment, now > that I think about it) where developers fly on and off projects. > > Toolkits that enforce coding standards, and that are treated like any other > module of the application in terms of care and feeding, are the only things > that give security a fighting chance in environments like those. > > Best, > > Mike B. > > On Mon, Dec 21, 2009 at 8:24 AM, Gary McGraw <g...@cigital.com> wrote: > > hi sc-l, > > This list is made up of a bunch of practitioners (more than a thousand from > what Ken tells me), and we collectively have many different ways of > promoting software security in our companies and our clients. The BSIMM > study <http://bsi-mm.com> focuses attention on software security in large > organizations and just at the moment covers the work of 1554 full time > employees working every day in 26 software security initiatives. One > phenomenon we observed in the BSIMM was that every large initiative has a > Software Security Group (SSG) to carry out and lead software security > activities. > > I wrote about our observations around SSGs in this month's informIT > article: > > http://www.informit.com/articles/article.aspx?p=1434903 > > Simply put, an SSG is a critical part of a software security initiative in > all companies with more than 100 developers. (We're still not sure about > SSGs in smaller organizations, but the BSIMM Begin data (now hovering at 75 > firms) may be revealing.) > > Cigital's SSG was formed in 1997 (with John Viega, Brad Arkin, and me as > founding members). Since its inception, we've helped plan, staff, and carry > out ten large software security initiatives in customer firms. One of the > most important first tasks is establishing an SSG. > > Merry New Year everybody. > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > blog www.cigital.com/justiceleague > book www.swsec.com > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > > > >
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________