top 10 software security surprises

[chandra at list.org (Pravir Chandra)]

Hey All.
On the topic of maturity models, in Gary's first article he mentioned a
draft model I created. Since I've mostly been discussing it in OWASP
circles, I wanted to point out the Software Assurance Maturity Model (SAMM)
project at http://www.opensamm.org

I kicked off that work based on a few years experience running with CLASP
and with help from the guys at Fortify. Currently, there's a BETA release (
http://www.opensamm.org/downloads/SAMM-BETA-0.8.1.pdf), but a new revision
should be available by the end of year. That next revision will reflect
feedback from individual reviewers, output from OWASP working sessions, and
much of the real-world feedback that Gary talks about below.

I'm always interested to hear comments/questions/flames, so please feel free
to download it and send any feedback.

Thanks!

p.

On Tue, Dec 16, 2008 at 10:25 AM, Gary McGraw <gem at cigital.com> wrote:

> hi sc-l,
>
> Using the software security framework introduced in October (A Software
> Security Framework: Working Towards a Realistic Maturity Model <
> http://www.informit.com/articles/article.aspx?p=1271382>), we interviewed
> nine executives running top software security programs in order to gather
> real data from real programs. Our goal is to create a maturity model based
> on these data, and we're busy working on that (stay tuned here for more).
> However, in the course of analyzing the data we gathered, we unearthed some
> surprises that we share in this month's informIT article:
>
> http://www.informit.com/articles/article.aspx?p=1315431
>
> My bet is that some of the findings will come as a surprise to sc-l readers
> as well.  Check the article out.
>
> Merry New Year to you all.
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________



-- 
~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
Pravir Chandra                      chandra<at>list<dot>org
PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20081216/e5e7c584/attachment.html