[SC-L] InformIT: You need an SSG

2009-12-21 Thread Gary McGraw
hi sc-l, This list is made up of a bunch of practitioners (more than a thousand from what Ken tells me), and we collectively have many different ways of promoting software security in our companies and our clients. The BSIMM study http://bsi-mm.com focuses attention on software security in

Re: [SC-L] InformIT: You need an SSG

2009-12-21 Thread Mike Boberski
Hi Gary. To play devil's advocate: Current organizational practices aside, I would say that organizations really need more and better toolkits and standards for developers to use, than they need more and better committees. A toolkit example that comes to mind, to keep this email short: the

Re: [SC-L] InformIT: You need an SSG

2009-12-21 Thread Mike Boberski
I think, MS is more an example of an ideal, than what the comparatively everyman organization can realistically hope to achieve, basically given resource constraints. Mike On Mon, Dec 21, 2009 at 8:37 PM, David Ladd davel...@microsoft.com wrote: To be clear - we do both. We automate and

Re: [SC-L] InformIT: You need an SSG

2009-12-21 Thread Mike Boberski
But, do those require a second security group to execute(?) Mike On Mon, Dec 21, 2009 at 9:41 PM, David Ladd davel...@microsoft.com wrote: A lot of people look at what has been published from Microsoft about the SDL – most notably the MSDN guidance