On Wed, 3 Feb 2010, Gary McGraw wrote:
Popularity contests are not the kind of data we should count on. But
maybe we'll make some progress on that one day.
That's my hope, too, but I'm comfortable with making baby steps along the
way.
Ultimately, I would love to see the kind of linkage
I for one am pretty satisfied with the rate at which things are
progressing
I dunno...
Again, trying to keep it pithy: I for one welcome our eventual new [insert
hostile nation state here] overlords. /joke
What I see from my vantage point is a majority of people who (1)should know
better given
When comparing BSIMM to SAMM are we suffering from the Mayberry Paradox? Did
you know that Apple is more secure than Microsoft simply because there are more
successful attacks on MS products? Of course, we should ignore the fact that
the number of attackers doesn't prove that one product is
Why are we holding up the statistics from Google, Adobe and Microsoft (
http://www.bsi-mm.com/participate/ ) in BDSIMM?
These companies are examples of recent epic security failure. Probably
the most financially damaging infosec attack, ever. Microsoft let a
plain-vanilla 0-day slip through
At no time did it include corporations who use Ounce Labs or Coverity
Bzzzt. False. While there are plenty of Fortify customers represented in
BSIMM, there are also plenty of participants who aren't Fortify customers.
I don't think there are any hard numbers on market share in this realm, but
On Thu, 4 Feb 2010, Jim Manico wrote:
These companies are examples of recent epic security failure. Probably
the most financially damaging infosec attack, ever. Microsoft let a
plain-vanilla 0-day slip through ie6 for years
Actually, it was a not-so-vanilla use-after-free, which once upon a
hi jim,
We chose organizations that in our opinion are doing a superior job with
software security. You are welcome to disagree with our choices.
Microsoft has a shockingly good approach to software security that they are
kind enough to share with the world through the SDL books and websites.
Merely hoping to understand more about the thinking behind BSIMM.
Here is a quote from the page: Of the thirty-five large-scale software
security initiatives we are aware of, we chose nine that we considered the most
advanced how can the reader tell why others were filtered?
When you visit
Hola Gary, inline:
On Wed, Feb 3, 2010 at 12:05 PM, Gary McGraw g...@cigital.com wrote:
Strategic folks (VP, CxO) ...Initially ...ask for descriptive information,
but once they get
going they need strategic prescriptions.
Please see my response to Kevin. I hope it's clear what the BSIMM is
OK, so this thread has heated up substantially and is on the verge of flare-up.
So, I'm declaring the thread to be dead and expunging the extant queue.
If anyone has any civil and value-added points to add, feel free to submit
them, of course. As always, I encourage free and open debate here,
10 matches
Mail list logo