[SC-L] BSIMM: Confessions of a Software Security Alchemist (informIT)
Gary McGraw
gem at cigital.com
Wed Mar 18 15:52:15 EST 2009
hi sc-l,
The BSIMM is a sizeable document, so digesting it all at once can be a challenge. My monthly informIT column this month explains the BSIMM in a much easier to digest, shorter form. The article is co-authored by Brian and Sammy.
BSIMM: Confessions of an Alchemist
http://www.informit.com/articles/article.aspx?p=1332285
<Dons asbestos suit from the 80s flame wars>
We had a great time writing this one. Here is my favorite paragraph (in the science versus alchemy vein):
"Both early phases of software security made use of any sort of argument or 'evidence' to bolster the software security message, and that was fine given the starting point. We had lots of examples, plenty of good intuition, and the best of intentions. But now the time has come to put away the bug parade boogeyman, the top 25 tea leaves, black box web app goat sacrifice, and the occult reading of pen testing entrails. The time for science is upon us."
John Waters also wrote a nice piece on the BSIMM that appeared today:
http://visualstudiomagazine.com/news/article.aspx?editorialsid=10689
To download the complete model, see http://bsi-mm.com
gem
company www.cigital.com
podcast www.cigital.com/silverbullet
podcast www.cigital.com/realitycheck
blog www.cigital.com/justiceleague
book www.swsec.com
More information about the SC-L
mailing list