BSIMM is a reflection of how some of the most mature organizations add security activities into their SDLC. The Organic Secure SDLC is simply a reflection of how many organizations that do not have the same top-level support for security gradually implement security into their SDLC. It follows a path of least resistance rather than doing what's most cost effective or even logical. It focuses on organizational challenges such as how requirements anlaysts are often not motivated to integrate security even if it's cost effective ( http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cycle-9-steps/why-requirements-analysts-dont-usually-care-about-security/ )
On Mon, Jul 18, 2011 at 3:48 PM, Anurag Agarwal <anurag.agar...@yahoo.com>wrote: > Rohit – How is this different from BSIMM? **** > > ** ** > > Thanks,**** > > ** ** > > Anurag Agarwal**** > > MyAppSecurity Inc**** > > Cell - 919-244-0803**** > > Email - anu...@myappsecurity.com**** > > Website - http://www.myappsecurity.com**** > > Blog - http://myappsecurity.blogspot.com**** > > LinkedIn - http://www.linkedin.com/in/myappsecurity **** > > ** ** > > *From:* sc-l-boun...@securecoding.org [mailto: > sc-l-boun...@securecoding.org] *On Behalf Of *Rohit Sethi > *Sent:* Monday, July 18, 2011 2:45 PM > *To:* Secure Code Mailing List > *Subject:* [SC-L] The Organic Secure SDLC**** > > ** ** > > Hi all,**** > > ** ** > > Over the years we've had the opportunity to see the evolution of security > in software development life cycles (SDLC) at many organizations. We've > started to see patterns in how things evolve from a path of least > resistance: from the bare minimum of production penetration testing through > to security in requirements & QA.**** > > ** ** > > In order to help us assess where an organization stands in terms of > application security maturity, we developed the Organic Secure SDLC model: > http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cycle-9-steps/ > **** > > ** ** > > If you're an actual practitioner who has lived through developing a secure > SDLC I'd love to hear your thoughts about the model's accuracy / relevancy. > **** > > ** ** > > If you know of any practical whitepapers / articles that might be of use to > somebody responsible for moving to the next in this model then please let me > know.**** > > ** ** > > Cheers, > > -- > Rohit Sethi > SD Elements > http://www.sdelements.com > twitter: rksethi**** > > ** ** > -- Rohit Sethi SD Elements http://www.sdelements.com twitter: rksethi
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________