Hey All.<div><br></div><div>On the topic of maturity models, in Gary's first article he mentioned a draft model I created. Since I've mostly been discussing it in OWASP circles, I wanted to point out the Software Assurance Maturity Model (SAMM) project at <a href="http://www.opensamm.org">http://www.opensamm.org</a></div>
<div><br></div><div>I kicked off that work based on a few years experience running with CLASP and with help from the guys at Fortify. Currently, there's a BETA release (<a href="http://www.opensamm.org/downloads/SAMM-BETA-0.8.1.pdf">http://www.opensamm.org/downloads/SAMM-BETA-0.8.1.pdf</a>), but a new revision should be available by the end of year. That next revision will reflect feedback from individual reviewers, output from OWASP working sessions, and much of the real-world feedback that Gary talks about below.</div>
<div><br></div><div>I'm always interested to hear comments/questions/flames, so please feel free to download it and send any feedback.</div><div><br></div><div>Thanks!</div><div><br></div><div>p.</div><div><br><div class="gmail_quote">
On Tue, Dec 16, 2008 at 10:25 AM, Gary McGraw <span dir="ltr"><<a href="mailto:gem@cigital.com">gem@cigital.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
hi sc-l,<br>
<br>
Using the software security framework introduced in October (A Software Security Framework: Working Towards a Realistic Maturity Model <<a href="http://www.informit.com/articles/article.aspx?p=1271382" target="_blank">http://www.informit.com/articles/article.aspx?p=1271382</a>>), we interviewed nine executives running top software security programs in order to gather real data from real programs. Our goal is to create a maturity model based on these data, and we're busy working on that (stay tuned here for more). However, in the course of analyzing the data we gathered, we unearthed some surprises that we share in this month's informIT article:<br>
<br>
<a href="http://www.informit.com/articles/article.aspx?p=1315431" target="_blank">http://www.informit.com/articles/article.aspx?p=1315431</a><br>
<br>
My bet is that some of the findings will come as a surprise to sc-l readers as well. Check the article out.<br>
<br>
Merry New Year to you all.<br>
<br>
gem<br>
<br>
company <a href="http://www.cigital.com" target="_blank">www.cigital.com</a><br>
podcast <a href="http://www.cigital.com/silverbullet" target="_blank">www.cigital.com/silverbullet</a><br>
blog <a href="http://www.cigital.com/justiceleague" target="_blank">www.cigital.com/justiceleague</a><br>
book <a href="http://www.swsec.com" target="_blank">www.swsec.com</a><br>
<br>
_______________________________________________<br>
Secure Coding mailing list (SC-L) <a href="mailto:SC-L@securecoding.org">SC-L@securecoding.org</a><br>
List information, subscriptions, etc - <a href="http://krvw.com/mailman/listinfo/sc-l" target="_blank">http://krvw.com/mailman/listinfo/sc-l</a><br>
List charter available at - <a href="http://www.securecoding.org/list/charter.php" target="_blank">http://www.securecoding.org/list/charter.php</a><br>
SC-L is hosted and moderated by KRvW Associates, LLC (<a href="http://www.KRvW.com" target="_blank">http://www.KRvW.com</a>)<br>
as a free, non-commercial service to the software security community.<br>
_______________________________________________<br>
</blockquote></div><br><br clear="all"><br>-- <br>~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~<br>Pravir Chandra chandra<at>list<dot>org<br>PGP: CE60 0E10 9207 7290 06EB 5107 4032 63FC 338E 16E4<br>
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~<br>
</div>