Re: [SC-L] BSIMM Diagrams

2013-04-23 Thread Craig Heath 
Thanks Ivan!  Unfortunately I wasn't able to look at this straight away,
and when I go to the link now I get "ME-ERR-002 Sorry, we couldn't find the
page you were looking for."

Would you be able to put it up again?

Cheers!

- Craig.


On 18 April 2013 20:13, Iván Arce  wrote:

> Here's a treemap visualization of the same BSIMM measurement from Craig
> Heath's blogpost.
>
> http://www-958.ibm.com/v/297862
>
> The ordering I've found most useful is Domain->Maturity Level->Practice
> with the area of rectangular boxes based on the total coun tof
> activities in each (practice,level) combination and coloring based on
> count of observed activities. Level->domin-Practice seems useful too.
> The data file I used is available on the same site.
>
> The visualization tool allows reodering the categories and changing the
> area/color coding ranges inteactively.  Unfortunately this requires the
> Java plugin enabled in the browser. If there's interest I'll try to find
> a non Java, non-windows-only fat-client (ie. Tableau Public) way of
> publishing it.
>
> PLease send comments or any other feedback to the SC-L list
>
>
> thanks,
>
> -ivan
>
>
> On 4/10/13 10:29 AM, Craig Heath wrote:
> > Hi all!  List members might be interested in a blog post I've just
> > made here: http://bit.ly/ZEWluE
> >
> > I attended the BSIMM Europe Open Forum last month, and one of the
> > topics that came up was how to show BSIMM assessment results usefully
> > on a diagram.  The spider chart as used in the BSIMM document is great
> > for a high-level visual comparison of a software security initiative
> > with an industry benchmark, but lacks detail of which specific
> > activities are undertaken.  At the forum, Sammy Migues shared
> > something he uses called an equalizer diagram, which is great for
> > showing gaps in coverage of software security activities, but lacks
> > comparison with a benchmark.
> >
> > I wondered whether it would be possible to produce a diagram which
> > combines the advantages of both, and the post linked above describes
> > an attempt at that.
> >
> > I'll be happy to discuss further either here or in the comments on the
> blog.
> >
> > Thanks!
> >
> > - Craig Heath.
> > ___
> > Secure Coding mailing list (SC-L) SC-L@securecoding.org
> > List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> > List charter available at - http://www.securecoding.org/list/charter.php
> > SC-L is hosted and moderated by KRvW Associates, LLC (
> http://www.KRvW.com)
> > as a free, non-commercial service to the software security community.
> > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> > ___
> >
>
>
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] BSIMM Diagrams

2013-04-19 Thread Daniel Halber 
Thanks for sharing Ivan,
However, java in the browser is not acceptable, so could you please find
another way to share the visualization tool please?
This may not be an easy request to fulfill since I would not launch any
executable code (java or otherwise), without a minimal level of assurance...

Best regards,

Daniel Halber
daniel.hal...@gmail.com



--
*From*: Iván Arce 
*Date*: Thu, 18 Apr 2013 16:13:52 -0300
--

Here's a treemap visualization of the same BSIMM measurement from Craig
Heath's blogpost.
http://www-958.ibm.com/v/297862

The ordering I've found most useful is Domain->Maturity Level->Practice
with the area of rectangular boxes based on the total coun tof
activities in each (practice,level) combination and coloring based on
count of observed activities. Level->domin-Practice seems useful too.
The data file I used is available on the same site.

The visualization tool allows reodering the categories and changing the
area/color coding ranges inteactively.  Unfortunately this requires the
Java plugin enabled in the browser. If there's interest I'll try to find
a non Java, non-windows-only fat-client (ie. Tableau Public) way of
publishing it.

PLease send comments or any other feedback to the SC-L list


thanks,

-ivan


On 4/10/13 10:29 AM, Craig Heath wrote:


Hi all!  List members might be interested in a blog post I've just
made here: http://bit.ly/ZEWluE

I attended the BSIMM Europe Open Forum last month, and one of the
topics that came up was how to show BSIMM assessment results usefully
on a diagram.  The spider chart as used in the BSIMM document is great
for a high-level visual comparison of a software security initiative
with an industry benchmark, but lacks detail of which specific
activities are undertaken.  At the forum, Sammy Migues shared
something he uses called an equalizer diagram, which is great for
showing gaps in coverage of software security activities, but lacks
comparison with a benchmark.

I wondered whether it would be possible to produce a diagram which
combines the advantages of both, and the post linked above describes
an attempt at that.

I'll be happy to discuss further either here or in the comments on the blog.

Thanks!

- Craig Heath.
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___