Gary,
Could you clarify your (and/or the BSIMM) position on secure by design
vs designed to be secure? You're encouraging the adoption of
secure-by-design building blocks, as a part of SFD2.1, but then warning
that designed to be secure != secure. I can think of examples/ways
that what you've
On Tue, Oct 18, 2011 at 10:34 AM, Gary McGraw g...@cigital.com wrote:
On 10/15/11 5:45 PM, Steven M. Christey co...@rcf-smtp.mitre.org wrote:
3) The wording about OWASP ESAPI in SFD2.1 is unclear: Generic open
source software security architectures including OWASP ESAPI should
not be
hi steve and sc-l,
Sorry for the delay in responding. I am just catching up after spending
last week in Bloomington, Indiana. Some quick answers:
1) Was any analysis done to ensure that the 3 levels are consistent
from a maturity perspective - for example, if an organization
performed an
software security right but big companies can.
-Chris
-Original Message-
From: sc-l-boun...@securecoding.org
[mailto:sc-l-boun...@securecoding.org] On Behalf Of Steven M. Christey
Sent: Saturday, October 15, 2011 5:45 PM
To: Gary McGraw
Cc: Secure Code Mailing List
Subject: Re: [SC-L
Gary,
Congratulations to you, Brian, Sammy, and the rest of the BSIMM3
community!
I have a few questions:
1) Was any analysis done to ensure that the 3 levels are consistent
from a maturity perspective - for example, if an organization
performed an activity at level 2, that there was
hi sc-l,
BSIMM3 was just posted. You can download it from http://bsimm.com
Since the first BSIMM interview in October 2008, we’ve progressed from 9 to 30
to 42 firms (and more, at this point). We’ve also measured 11 firms twice—with
about 19 months between measurements on average—providing
