[SC-L] (fwd) informIT: A Software Security Framework
Kenneth Van Wyk
ken at krvw.com
Thu Oct 16 08:22:20 EDT 2008
Greetings SC-L,
I thought I'd chime in on this, as it very closely relates to my
current book project.
On Oct 15, 2008, at 8:31 AM, Gary McGraw (via Kenneth Van Wyk) wrote:
> Brian Chess and I have been working hard on a software security
> framework that we are using in a scientific study of many of the top
> software security initiatives.
Great work, guys. In some areas, I think it's probably overly
simplistic, as some of the practices span more than one domain.
(Notably, penetration testing can and should be part of a security
testing regimen as well as a deployment testing regimen, IMHO.) But
it's a great starting point for going out and gathering real world
data on what's being done in the field. More importantly, it's useful
at defining what practices should be assessed for a maturity model.
> Our plan of action is to interview the people running the top ten
> large-scale software security initiatives over the next few weeks
> and then build a maturity model with the resulting data.
Our discipline stands to gain significantly from having a maturity
model in place, if for no other reason than to help dev organizations
set goals and objectives in their software security efforts.
Pravir et al at OWASP have done a great job at getting one started
over there. I also love the idea of using real world data as an
initial set of measurements for each maturity level, especially for
early version(s) of a maturity model. I think that goes a long way to
helping development organizations realistically know what to aspire
to--and how to get there--for each maturity level.
In time, however, I'd sure like to see the maturity model advance
beyond that and set the bars higher than "just" what's currently being
done in practice, and define what *should* be done. That said,
starting with a solid framework of practices to measure for each
maturity level is the right way to do things.
IMHO, it'll probably be a few years before these efforts bear
significant fruit in terms of advancing what is being practiced in the
field, but we've got to start somewhere. Kudos.
Cheers,
Ken
-----
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2252 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20081016/e1f2767e/attachment.bin
More information about the SC-L
mailing list