hi bret and mike,

While you guys are certainly entitled to your opinion, I think it is important 
to acknowledge facts when you state an argument.  Please take a few minutes to 
read the article I posted on SSG's (this "committee" language you're both using 
is very humorous BTW...thanks for the laugh).   After you've read the article, 
lets have an informed debate. Here's the URL again:


The article draws conclusions based on observations from 26 companies 
(Microsoft is only 1 of the 26).   The data I based my SSG claims on are 
provided in analyzed form.  Just for the record, the article also states that 
we're not sure whether the data described in the BSIMM are relevant for SMB 
(small and medium sized businesses), something I repeated in my sc-l post 
yesterday.   We have plans to find out using real data (again).  We will not 
draw any conclusions without gathering data and publishing it.

Your opinion that an SSG "rarely delivers anything useful" certainly does not 
apply to the 26 companies we studied (so far) in the BSIMM, nor does it cohere 
with my fifteen years of experience in the field.  What observations are you 
basing your argument on?  Can you show us some data?

I'm afraid your toolset argument teeters precariously on opinion and falls into 
a familiar pattern that goes something like this in BNF:

<FlavOfDay> = {<owasp top 10>, <code review tools>,<pen 
testing>,<firewalls>,<APIs>,<rampant finger crossing>}
     Software security can be solved by <FlavOfDay> because I said so.

While it is true that you said so, I'm pretty sure you're going to need a more 
convincing argument.  Unless we rely on data and evidence when we do our work, 
we'll end up looking just as silly as those people who disagree with evolution 
and global warming.

It's science time.


company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

On 12/21/09 11:24 PM, "Bret Watson" <li...@ticm.com> wrote:

At 08:01 AM 22/12/2009, Mike Boberski wrote:
>Hi Gary.
>To play devil's advocate:
>Current organizational practices aside, I would say that
>organizations really need more and better toolkits and standards for
>developers to use, than they need more and better committees.

I'd have to agree - whilst SSG is probably a great opportunity for a
management consultant, it rarely delivers anything directly useful.
In fact I would go as far as to say that if a SSG delivers something
useful, the organisation was already ready to deliver the changes.
Committees rarely take direct ownership of a problem.

Toolsets may or may not deliver results - depending on if there are
ways around them - too often you hear the excuse "we can't waste time
with that - the business won't wait"

However toolset will work if you have a good properly supported
securty mgmt function :)



Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to