Secure Coding mailing list archives

Positive impact of an SSG

From: SMigues at cigital.com (Sammy Migues)
Date: Tue, 10 Mar 2009 23:15:39 -0400

Hi Pravir,

Yes, I agree completely: the data gathered in the BSIMM interviews seem to indicate that "the controls over all" led to 
what the interviewees saw as improvements in their capability to produce secure software.

In the nine companies interviewed, those controls (BSIMM activities, I think) sprang from well established SSGs -- that 
is, a specific person or persons with the responsibility for ensuring lots (110, collectively) of activities actually 
get done.

The BSIMM data to date from specific large organizations indicate that a little under 100:1 is the average ratio for 
dev/QA to SSG size. It'll be interesting to see how this changes when we get to interviewing smaller organizations and 
we see if and how they're actually getting it done.

Personally, I don't believe I agree with your guess that 95% of organizations building code can't afford an SSG. I 
believe every organization that wants to succeed can afford to have someone in charge of success, but that's just my 
opinion and isn't relevant to BSIMM.

Cheers,

--Sammy.


-----Original Message-----
From: Pravir Chandra [mailto:chandra at list.org] 
Sent: Tuesday, March 10, 2009 6:31 PM
To: Sammy Migues
Cc: sc-l at securecoding.org
Subject: Re: [SC-L] Positive impact of an SSG

Hey Sammy.

How does that pertain to a software security group (SSG) per se? The
details below seem to indicate that it was the controls over all that
lead to the positive impact.

My main point is that supporting an SSG isn't cost effective for 95%
of the organizations out there that are building code. That's why in
SAMM, we didn't mandate the structure of the organization and instead
concentrated on the functions fulfilled by security guys (regardless
of their placement in the org).

p.

On Tue, Mar 10, 2009 at 7:48 AM, Sammy Migues <SMigues at cigital.com> wrote:

Hi all,

I've received some private questions about the 110 activities in BSIMM (bsi-mm.com). Since we built the model
directly from the data gathered, each activity is actually being done in one of the nine organizations interviewed.
The question is whether there's any evidence the activities are actually effective as opposed to simply being done.

Since we can't publish any private data, I'd like to point folks at this recent article in Information Security
Magazine. Jim Routh, CISO of DTCC (one of the nine organizations interviewed), is quoted as follows relative to the
impact of software security group activities:

http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1346974,00.html

"One of Routh's big wins is inserting security controls early into software development lifecycle at the DTCC.
Vulnerabilities are weeded out well before they appear in functional code that ends up in production and that has
resulted in close to $2 million in productivity gains on a base of $150 million spend for development, Routh says.

"Those gains are exclusively the result of having mature and effective controls within our system and software
development lifecycle," Routh says. This is a three-year-old initiative that educates and certifies developers in all
DTCC environments in security. Developers are also provided with the necessary code-scanning tools and consulting and
services help to keep production code close to pristine."

--Sammy.

Sammy Migues
Principal, Technology
703.404.5830 - http://www.cigital.com
Software confidence. Achieved.
smigues at cigital.com

_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________




-- 
~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
Pravir Chandra                      chandra<at>list<dot>org
PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~

Current thread:

Positive impact of an SSG Sammy Migues (Mar 10)
- Positive impact of an SSG Pravir Chandra (Mar 10)
  - Positive impact of an SSG Sammy Migues (Mar 10)
    - Positive impact of an SSG Pravir Chandra (Mar 11)
    - Positive impact of an SSG Sammy Migues (Mar 11)
    - Positive impact of an SSG Benjamin Tomhave (Mar 11)
    - Positive impact of an SSG Brian Chess (Mar 11)
    - Positive impact of an SSG Pravir Chandra (Mar 11)
    - Positive impact of an SSG Benjamin Tomhave (Mar 11)
    - Positive impact of an SSG Brian Chess (Mar 11)
    - Positive impact of an SSG Benjamin Tomhave (Mar 11)
    - Positive impact of an SSG Pravir Chandra (Mar 11)