hi bret and mike, While you guys are certainly entitled to your opinion, I think it is important to acknowledge facts when you state an argument. Please take a few minutes to read the article I posted on SSG's (this "committee" language you're both using is very humorous BTW...thanks for the laugh). After you've read the article, lets have an informed debate. Here's the URL again:
http://www.informit.com/articles/article.aspx?p=1434903 The article draws conclusions based on observations from 26 companies (Microsoft is only 1 of the 26). The data I based my SSG claims on are provided in analyzed form. Just for the record, the article also states that we're not sure whether the data described in the BSIMM are relevant for SMB (small and medium sized businesses), something I repeated in my sc-l post yesterday. We have plans to find out using real data (again). We will not draw any conclusions without gathering data and publishing it. Your opinion that an SSG "rarely delivers anything useful" certainly does not apply to the 26 companies we studied (so far) in the BSIMM, nor does it cohere with my fifteen years of experience in the field. What observations are you basing your argument on? Can you show us some data? I'm afraid your toolset argument teeters precariously on opinion and falls into a familiar pattern that goes something like this in BNF: <FlavOfDay> = {<owasp top 10>, <code review tools>,<pen testing>,<firewalls>,<APIs>,<rampant finger crossing>} Software security can be solved by <FlavOfDay> because I said so. While it is true that you said so, I'm pretty sure you're going to need a more convincing argument. Unless we rely on data and evidence when we do our work, we'll end up looking just as silly as those people who disagree with evolution and global warming. It's science time. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 12/21/09 11:24 PM, "Bret Watson" <li...@ticm.com> wrote: At 08:01 AM 22/12/2009, Mike Boberski wrote: >Hi Gary. > >To play devil's advocate: > >Current organizational practices aside, I would say that >organizations really need more and better toolkits and standards for >developers to use, than they need more and better committees. I'd have to agree - whilst SSG is probably a great opportunity for a management consultant, it rarely delivers anything directly useful. In fact I would go as far as to say that if a SSG delivers something useful, the organisation was already ready to deliver the changes. Committees rarely take direct ownership of a problem. Toolsets may or may not deliver results - depending on if there are ways around them - too often you hear the excuse "we can't waste time with that - the business won't wait" However toolset will work if you have a good properly supported securty mgmt function :) Cheers Bret _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________