For anyone interested in this topic and working in appsec and/or dev, there’s a survey by the trusted software alliance which touches on some of these questions here: https://www.surveymonkey.com/s/Developers_and_AppSec
> On Jan 7, 2014, at 8:07 PM, Christian Heinrich > <christian.heinr...@cmlh.id.au> wrote: > >> Stephen, >> >> On Sat, Jan 4, 2014 at 8:12 PM, Stephen de Vries >> <step...@continuumsecurity.net> wrote: >>> Leaving the definition of agile aside for the moment, doesn’t the fact that >>> the BSIMM measures >>> organisation wide activities but not individual dev teams mean that we >>> could be drawing inaccurate >>> conclusions from the data? E.g. if an organisation says it is doing Arch >>> reviews, code reviews and >>> sec testing, it doesn’t necessarily mean that every team is doing all of >>> those activities, so it may give >>> the BSIMM reader a false impression of the use of those activities in the >>> real world. >>> >>> In addition to knowing which activities are practiced organisation wide, it >>> would also be valuable to >>> know which activities work well on a per-team or per-project basis. >> >> My reading of the "Roles" section of BSIMM-V.pdf is that the people >> interviewed for the BSIMM sample are: >> 1. Executive Leadership (or CISO, VP of Risk, CSO, etc) >> 2. Everyone else within the Software Security Group (SSG) >> >> What you are asking to be included is what is referred to as the >> "Satellite" within BSIMM-V.pdf and I believe this may also require the >> inclusion of http://cmmiinstitute.com/cmmi-solutions/cmmi-for-development/ >> too (why not :) ). >> >> The issue with this is that it would invalidate the statistics from >> the prior five BSIMM releases due to the inclusion of new questions >> and in additional these new statistics were not gathered over time >> either hence the improvements measured over time within BSIMM would be >> invalid too due tot he new dataset. >> >> Furthermore, Gary, Sammy and Brian have limited time to interview all >> 67 BSIMM participating firms. >> >> However, I would be interested to know the "BSIMM Advisory Board" i.e. >> http://bsimm.com/community/ view on this is and if it would be >> possible to undertake this additional sampling within their own BSIMM >> participating firm to determine if there is additional value would be >> gained for BSIMM? However, I suspect that an objective measurement >> would be too hard to quantify due to internal politics of each BSIMM >> participating firm but I could be wrong. > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
