Re: [SC-L] The Organic Secure SDLC
Hi Jim, Jim, thanks for the comments. It's a fair statement that pen tests don't just happen. There are many organizations who don't pay attention to application security at all - and they don't really fit in this model. You're bang on about the lack of design activities. There just doesn't seem to be consistency here until people take a more meaningful approach like the SDL. That's not to say there aren't exceptions - like we mentioned in the posting, many organizations *do* have some sort of design or architecture assessment it just doesn't appear to be consistent in our observations. With respect to implementing metrics, I think this is a sign of maturity that means organizations are pulling away from a reactive approach. To keep the model simple, we've left out details about iterating although it's very important. Tool selection would typically be contained within the individual step to which the tool applies (e.g. static analysis within source code review). On Thu, Aug 11, 2011 at 1:58 PM, Jim Bird jimb...@shaw.ca wrote: Hi Rohit, I just returned from overseas and read through the original post and this email thread. If this Organic model is descriptive (based on what you've observed at companies that you've done work for) then this progression seems to make sense for companies who are working on a reactive basis, and starting with outside help. I guess that it starts with consultant-based work like pen testing and source code review, because the customers that call in consultants would ask for this. Of course then a prerequisite would be some kind of business case or risk assessment or other trigger (attack, CEO reading scary things in the Wall Street Journal, ...) to bring in consultants in the first place to see just how bad things are. Pen tests don't just happen. As John Steven pointed out, there are other important steps like putting in metrics and tracking, and implementing/upgrading tools/frameworks, and (in my experience at least, an important early step) understanding (and later tracking changes to) the attack surface. And iterating through all of this. I can see how Cigital's experience with larger enterprise customers that drives BSIMM would be different, because these customers themselves would drive additional requirements and have additional resources at hand, and because Cigital has its own methods and engagement model and practices and tools that it would bring into the customer. I am surprised to see that this model is so code heavy/design lite: there's little emphasis on threat modeling / ARA maybe because many companies find it so hard to do? I like the idea of an end-state where security gets burned in to QA like other problems in software development, making the team responsible for security in reviews and testing etc. That's a big step to get to. /Jim - Original Message - From: Rohit Sethi rkli...@gmail.com Date: Tuesday, July 19, 2011 4:18 pm Subject: Re: The Organic Secure SDLC To: John Steven jste...@cigital.com Cc: Secure Code Mailing List sc-l@securecoding.org, jimb...@shaw.ca jimb...@shaw.ca, Paco Hope p...@cigital.com Hi John, Thanks for the feedback. This is exactly what we were looking for. We've certainly sought simplicity in this model, even at the expense being incomplete. It's not necessarily aimed at the one man shop - it's aimed at any organization where secure software is just not an explicit top-level priority. It doesn't address any of the short-comings of any previous model because it's not an alternative to them. It's simply an observation of a seemingly natural - organic- progression of steps. I agree with you about its value. No organization matches this model completely - there are often additional steps, some that you mentioned, which one organization or another takes or where the order is slightly different than what we've outlined. You can think of the steps we've outlined as a line of best fit: the steps we've seen to be most common. I'm often surprised to find security practitioners thinking they are way behind industry because they are are struggling to convince the lines of business to participate in security activities. One motivation for the model is to let those practitioners know that they're not alone. Case studies are a fantastic idea. We will add these to the model over time. We also want to be able to point to useful resources for people at each step, so if you (i.e. anyone reading this) has written relevant articles or whitepapers let me know. On Tue, Jul 19, 2011 at 4:43 PM, John Steven jste...@cigital.com wrote: Paco, Thank you for cogently clarifying BSIMM. I'm a bit disappointed in the community's ignorance regarding the model given it's both freely available and Creative Commons licensed. Equally disappointing, to me, are positions borne out of a Just use [MyModel™:
Re: [SC-L] The Organic Secure SDLC
Hi John, Thanks for the feedback. This is exactly what we were looking for. We've certainly sought simplicity in this model, even at the expense being incomplete. It's not necessarily aimed at the one man shop - it's aimed at any organization where secure software is just not an explicit top-level priority. It doesn't address any of the short-comings of any previous model because it's not an alternative to them. It's simply an observation of a seemingly natural - organic- progression of steps. I agree with you about its value. No organization matches this model completely - there are often additional steps, some that you mentioned, which one organization or another takes or where the order is slightly different than what we've outlined. You can think of the steps we've outlined as a line of best fit: the steps we've seen to be most common. I'm often surprised to find security practitioners thinking they are way behind industry because they are are struggling to convince the lines of business to participate in security activities. One motivation for the model is to let those practitioners know that they're not alone. Case studies are a fantastic idea. We will add these to the model over time. We also want to be able to point to useful resources for people at each step, so if you (i.e. anyone reading this) has written relevant articles or whitepapers let me know. On Tue, Jul 19, 2011 at 4:43 PM, John Steven jste...@cigital.com wrote: Paco, Thank you for cogently clarifying BSIMM. I'm a bit disappointed in the community's ignorance regarding the model given it's both freely available and Creative Commons licensed. Equally disappointing, to me, are positions borne out of a Just use [MyModel™: BSIMM || SAMM] perspective. Rohit asked: If you're an actual practitioner who has lived through developing a secure SDLC I'd love to hear your thoughts about the model's accuracy / relevancy. Responses to this request would provide this mailing list's readership more value. As one practitioner responsible for several SDL programs, I'll respond ignoring Organic vs. BSIMM. I don't see much value in such a comparison. [Is 'Organic' a model?] Yes. Paraphrasing one definition, a model is anything that abstracts a system's factors in a way to helps its users quickly gain insight into the subject's behavior. Inaccuracy isn't a fatal blow to a model, quoting Paul Wilmott's Manifesto [BW1]: • I will remember that I didn't make the world and that it doesn't satisfy my equations. • Though I will use models boldly to estimate value, I will not be overly impressed by mathematics. • I will never sacrifice reality for elegance without explaining why I have done so. Nor will I give the people who use my model false comfort about its accuracy. Instead, I will make explicit its assumptions and oversights. • I understand that my work may have enormous effects on society and the economy, many of them beyond my comprehension. ...Navigators managed rather well with a Flat Earth hypothesis for some time--no? So, we don't need over one hundred activities in our app. sec. model in order to provide value. [Motivation] Most of you know I respect Rohit a fair amount and so when I read his post, you can imagine my thought, In a world aware of BSIMM what is the value of 'Organic'? with honest curiosity, not disdain. I immediately guessed 'Organic' was meant to address a common complaint regarding almost every prior model: I'm challenged applying this to smaller shops just beginning their Application Security initiatives Jim Bird has thoughtfully discussed the one man shop problem extensively in his blog [JB1]. Rohit's own explanation mentions no top down support as an indication of model applicability. [Accuracy] 'Organic' ignores a lot of key components that even smaller shops already have in place or care about improving. Three essential ones include 1) measurement and iterative approach [JB2], 2) security policy [PC1], and 3) security toolkits/frameworks [JB2][FM1]. While Rohit's post indicates explicitly that things have been omitted, he focuses on having left out architecture and related activities. To me, even if 'Organic' is designed to focus only on development activities, ignoring a potential need for compliance to regulatory/security policy, leveraging toolkits to make developers' jobs easier, or failing to set up a measure-and-iterate loop are dire mistakes. I can point to small organizations that have taken very different tacks and don't fit the model. Some start with training. Others lean on SCR tools or security toolkits before ever institutionalizing pen-testing. Perhaps it's inaccurate. Maybe it doesn't meet our industry need for addressing one man shop. So is it good-for-nothing? No. It's useful. [Value] An immediate value that jumped
Re: [SC-L] The Organic Secure SDLC
Try this on for size. JPMC already uses it in practice. vBSIMM (BSIMM for Vendors) http://www.informit.com/articles/article.aspx?p=1703668 (April 12, 2011) gem On 7/18/11 8:35 PM, Anurag Agarwal anurag.agar...@yahoo.com wrote: Gary - So my next question is, can we come up with something like BSIMM lite, which small or medium size companies with limited resources can use? Or maybe pluggable modules, which different companies can pick and choose depending on the time and resources they can allocate to it? My thought process is since we have a comprehensive list of activities outlined in BSIMM, we should be able to utilize them unless it is something which won't work across various types of organizations or dev teams with limited resources or other such variables. What Rohit has outlined in his post is a very small subset of activities in a secure SDLC methodology. Agreed, most of the companies are allocating resources in those activities but that should not be the standard. Activities like static code analysis or vulnerability assessment should be used to validate threat mitigation and not a source of identifying them, since it gives them a false sense of security. The other key element I think which is required now is the measurement criteria to generate metrics. (I don't remember exactly what level of metrics criterias are defined in BSIMM) but they are a must for a company to assess if they are maturing in their process or not otherwise most of the time it ends up being an academic exercise and gets bypassed as the deadlines gets near. Thoughts? Thanks, Anurag Agarwal MyAppSecurity Inc Cell - 919-244-0803 Email - anu...@myappsecurity.com Website - http://www.myappsecurity.com Blog - http://myappsecurity.blogspot.com LinkedIn - http://www.linkedin.com/in/myappsecurity -Original Message- From: Gary McGraw [mailto:g...@cigital.com] Sent: Monday, July 18, 2011 6:40 PM To: Anurag Agarwal; 'Rohit Sethi'; Secure Code Mailing List Subject: Re: [SC-L] The Organic Secure SDLC hi anurag, The main difference is it is a prescriptive model based on experience (opinion?). The BSIMM is a descriptive model based on observation of over 40 firms. Stay tuned for BSIMM3 in September-ish. gem p.s. See Cargo Cult Computer Securityhttp://www.informit.com/articles/article.aspx?p=1562220 (January 28, 2010) for more on prescriptive versus descriptive models. From: Anurag Agarwal anurag.agar...@yahoo.commailto:anurag.agar...@yahoo.com Date: Mon, 18 Jul 2011 15:48:50 -0400 To: 'Rohit Sethi' rkli...@gmail.commailto:rkli...@gmail.com, Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org Subject: Re: [SC-L] The Organic Secure SDLC Rohit - How is this different from BSIMM? Thanks, Anurag Agarwal MyAppSecurity Inc Cell - 919-244-0803 Email - anu...@myappsecurity.commailto:anu...@myappsecurity.com Website - http://www.myappsecurity.com Blog - http://myappsecurity.blogspot.com LinkedIn - http://www.linkedin.com/in/myappsecurity From: sc-l-boun...@securecoding.orgmailto:sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Rohit Sethi Sent: Monday, July 18, 2011 2:45 PM To: Secure Code Mailing List Subject: [SC-L] The Organic Secure SDLC Hi all, Over the years we've had the opportunity to see the evolution of security in software development life cycles (SDLC) at many organizations. We've started to see patterns in how things evolve from a path of least resistance: from the bare minimum of production penetration testing through to security in requirements QA. In order to help us assess where an organization stands in terms of application security maturity, we developed the Organic Secure SDLC model: http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cy cl e-9-steps/ If you're an actual practitioner who has lived through developing a secure SDLC I'd love to hear your thoughts about the model's accuracy / relevancy. If you know of any practical whitepapers / articles that might be of use to somebody responsible for moving to the next in this model then please let me know. Cheers, -- Rohit Sethi SD Elements http://www.sdelements.com twitter: rksethi ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] The Organic Secure SDLC
To clarify further, this is not meant to be prescriptive or even a set of best practices. It's simple observation on how many organizations tend to evolve if secure SDLC is not a major priority. I can't say it's based on hard data but we have compiled the steps from experiences at several clients and validated it with several others. If you were seeking advice on how to build security into the SDLC from the ground up or looking for a set of activities to perform, you'd be better served by looking at BSIMM. The organic secure SDLC misses things, like threat modeling, because in our observations they don't seem to be done consistently. On Mon, Jul 18, 2011 at 6:40 PM, Gary McGraw g...@cigital.com wrote: hi anurag, The main difference is it is a prescriptive model based on experience (opinion?). The BSIMM is a descriptive model based on observation of over 40 firms. Stay tuned for BSIMM3 in September-ish. gem p.s. See Cargo Cult Computer Security http://www.informit.com/articles/article.aspx?p=1562220 (January 28, 2010) for more on prescriptive versus descriptive models. From: Anurag Agarwal anurag.agar...@yahoo.commailto: anurag.agar...@yahoo.com Date: Mon, 18 Jul 2011 15:48:50 -0400 To: 'Rohit Sethi' rkli...@gmail.commailto:rkli...@gmail.com, Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org Subject: Re: [SC-L] The Organic Secure SDLC Rohit – How is this different from BSIMM? Thanks, Anurag Agarwal MyAppSecurity Inc Cell - 919-244-0803 Email - anu...@myappsecurity.commailto:anu...@myappsecurity.com Website - http://www.myappsecurity.com Blog - http://myappsecurity.blogspot.com LinkedIn - http://www.linkedin.com/in/myappsecurity From: sc-l-boun...@securecoding.orgmailto:sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Rohit Sethi Sent: Monday, July 18, 2011 2:45 PM To: Secure Code Mailing List Subject: [SC-L] The Organic Secure SDLC Hi all, Over the years we've had the opportunity to see the evolution of security in software development life cycles (SDLC) at many organizations. We've started to see patterns in how things evolve from a path of least resistance: from the bare minimum of production penetration testing through to security in requirements QA. In order to help us assess where an organization stands in terms of application security maturity, we developed the Organic Secure SDLC model: http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cycle-9-steps/ If you're an actual practitioner who has lived through developing a secure SDLC I'd love to hear your thoughts about the model's accuracy / relevancy. If you know of any practical whitepapers / articles that might be of use to somebody responsible for moving to the next in this model then please let me know. Cheers, -- Rohit Sethi SD Elements http://www.sdelements.com twitter: rksethi -- Rohit Sethi SD Elements http://www.sdelements.com twitter: rksethi ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] The Organic Secure SDLC
To clarify further, this is not meant to be prescriptive or even a set of best practices. It's simple observation on how many organizations tend to evolve if secure SDLC is not a major priority. I can't say it's based on hard data but we have compiled the steps from experiences at several clients and validated it with several others. That is exactly the process we followed with the BSIMM. Some of the BSIMM participants were well-established, highly capable, and mature. Others, however, were just getting their security initiatives off the ground. We didn't cherry-pick the best of the world. We went to firms that were significant and found out what they were doing. If you were seeking advice on how to build security into the SDLC from the ground up or looking for a set of activities to perform, you'd be better served by looking at BSIMM. I don't think someone starting from the ground up looks at the BSIMM. If you do, it's a brainstorming exercise to acquaint yourself with terms and activities. If you want something prescriptive, Cigital's touchpoints, or Microsoft's SDL are methodologies that tell you what to do. Think of the BSIMM like a thermometer. It can tell you the temperature of your SDLC. What it can't tell you is whether that's the right temperature or not. If you're making ice cream or if you're making waffles, you have different temperature needs. BSIMM simply tells you how you're doing right now. (And over time if you take repeated measurements). The organic secure SDLC misses things, like threat modeling, because in our observations they don't seem to be done consistently. I think this organic SDLC is mis-named. It is not a software development lifecycle. It is, if anything, a description of how security awareness evolves at some organisations. That is, minimally aware people take the first step of pen testing production systems. As they grow additionally more aware, they start looking earlier and earlier in the lifecycle. This thing itself is not a lifecycle. It's an observation about some organisations and how they gradually awaken to the need for security in the SDLC. It is entirely possible that climbing the wall might happen as the result of taking a measurement using the BSIMM. Instead of a linear arrow, I wonder if you want to have time on the X axis and level of effort on the Y axis. There's a curve here and climb the wall is a point in the curve where the effort is high. Anyways, this is just the order that some firms seem to adopt activities in their lifecycles. It is not a lifecycle. Paco ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] The Organic Secure SDLC
Hi Paco, sorry I suppose I misunderstood BSIMM's data collection methodology. In any event, I think it's clear this model isn't really an alternative to BSIMM - it's a very coarse-grained set of steps that many organizations follow before they begin to take on a more disciplined approach to a secure SDLC. I think you're right about the name. We really mean this to be the evolution of steps rather than being a lifecycle itself. Thanks for the suggestion - we'll go ahead change it On Tue, Jul 19, 2011 at 10:09 AM, Paco Hope p...@cigital.com wrote: To clarify further, this is not meant to be prescriptive or even a set of best practices. It's simple observation on how many organizations tend to evolve if secure SDLC is not a major priority. I can't say it's based on hard data but we have compiled the steps from experiences at several clients and validated it with several others. That is exactly the process we followed with the BSIMM. Some of the BSIMM participants were well-established, highly capable, and mature. Others, however, were just getting their security initiatives off the ground. We didn't cherry-pick the best of the world. We went to firms that were significant and found out what they were doing. If you were seeking advice on how to build security into the SDLC from the ground up or looking for a set of activities to perform, you'd be better served by looking at BSIMM. I don't think someone starting from the ground up looks at the BSIMM. If you do, it's a brainstorming exercise to acquaint yourself with terms and activities. If you want something prescriptive, Cigital's touchpoints, or Microsoft's SDL are methodologies that tell you what to do. Think of the BSIMM like a thermometer. It can tell you the temperature of your SDLC. What it can't tell you is whether that's the right temperature or not. If you're making ice cream or if you're making waffles, you have different temperature needs. BSIMM simply tells you how you're doing right now. (And over time if you take repeated measurements). The organic secure SDLC misses things, like threat modeling, because in our observations they don't seem to be done consistently. I think this organic SDLC is mis-named. It is not a software development lifecycle. It is, if anything, a description of how security awareness evolves at some organisations. That is, minimally aware people take the first step of pen testing production systems. As they grow additionally more aware, they start looking earlier and earlier in the lifecycle. This thing itself is not a lifecycle. It's an observation about some organisations and how they gradually awaken to the need for security in the SDLC. It is entirely possible that climbing the wall might happen as the result of taking a measurement using the BSIMM. Instead of a linear arrow, I wonder if you want to have time on the X axis and level of effort on the Y axis. There's a curve here and climb the wall is a point in the curve where the effort is high. Anyways, this is just the order that some firms seem to adopt activities in their lifecycles. It is not a lifecycle. Paco -- Rohit Sethi SD Elements http://www.sdelements.com twitter: rksethi ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] The Organic Secure SDLC
Jim, You're spot on. BSIMM is not a lifecycle for any company. Heck, it's not even a set of recommendations. It's simply a way to measure what a firm does. It's a model formulated from observations about how some firms' implement software security in their lifecycles. You'll never catch us calling the BSIMM a lifecycle. As for not translating into the SMB market, I don't understand that. Unlike, say prescriptive standards which say thou shalt do X regardless of how big you are, the BSIMM measures maturity of what a firm actually does. There is no reason an SMB could not measure the maturity of their effort using the BSIMM. Maturity is not a function of size. A team of 10 developers might score higher on various criteria than a multi-national bank that has a whole team of people dedicated to app sec. Maturity is a function of the depth to which one takes a certain activity and their capability within that activity. This isn't Pac-Man, either. The goal is not to get the highest score and an extra man. :) The goal is to put the right level of effort into the right places. A firm can't do that until they know how much effort they're spending on different activities. The BSIMM will illuminate the level of effort. It allows a firm to decide to rebalance and spread the budget/people around across the activities that make sense. Whether that's a team of 10 developers or a team of 1000 developers, the principle is the same. The execution varies. Here's another analogy. You can have a GPS and know your exact coordinates, to within 3 meters, but not know how to get to the airport by car. The BSIMM will tell you your coordinates at the present time. It does not tell you the best way to the airport. It can tell you the crow-fly distance to the airport, but it can't tell you that the airport is where you want to be. Paco Paco, By your same logic I would not consider BSIMM a lifecycle either. It's a thermometer to measure an SDLC against what some some of the largest companies are doing. As others have noted, BSIMM does not translate well into the SMB market where most software is written. Don't get me wrong, BSIMM is very interesting data and is useful. But a comprehensive secure software lifecycle for every company it is not. - Jim Manico On Jul 19, 2011, at 9:35 AM, Paco Hope p...@cigital.commailto:p...@cigital.com wrote: Think of the BSIMM like a thermometer. It ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] The Organic Secure SDLC
Hi all, Over the years we've had the opportunity to see the evolution of security in software development life cycles (SDLC) at many organizations. We've started to see patterns in how things evolve from a path of least resistance: from the bare minimum of production penetration testing through to security in requirements QA. In order to help us assess where an organization stands in terms of application security maturity, we developed the Organic Secure SDLC model: http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cycle-9-steps/ If you're an actual practitioner who has lived through developing a secure SDLC I'd love to hear your thoughts about the model's accuracy / relevancy. If you know of any practical whitepapers / articles that might be of use to somebody responsible for moving to the next in this model then please let me know. Cheers, -- Rohit Sethi SD Elements http://www.sdelements.com twitter: rksethi ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] The Organic Secure SDLC
Rohit - How is this different from BSIMM? Thanks, Anurag Agarwal MyAppSecurity Inc Cell - 919-244-0803 Email - anu...@myappsecurity.com Website - http://www.myappsecurity.com Blog - http://myappsecurity.blogspot.com LinkedIn - http://www.linkedin.com/in/myappsecurity From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Rohit Sethi Sent: Monday, July 18, 2011 2:45 PM To: Secure Code Mailing List Subject: [SC-L] The Organic Secure SDLC Hi all, Over the years we've had the opportunity to see the evolution of security in software development life cycles (SDLC) at many organizations. We've started to see patterns in how things evolve from a path of least resistance: from the bare minimum of production penetration testing through to security in requirements QA. In order to help us assess where an organization stands in terms of application security maturity, we developed the Organic Secure SDLC model: http://www.sdelements.com/secure-sdlc/software-security-throughout-life-cycl e-9-steps/ If you're an actual practitioner who has lived through developing a secure SDLC I'd love to hear your thoughts about the model's accuracy / relevancy. If you know of any practical whitepapers / articles that might be of use to somebody responsible for moving to the next in this model then please let me know. Cheers, -- Rohit Sethi SD Elements http://www.sdelements.com twitter: rksethi ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___