I think, MS is more an example of an ideal, than what the comparatively everyman organization can realistically hope to achieve, basically given resource constraints.<br><br clear="all">Mike<br>
<br><br><div class="gmail_quote">On Mon, Dec 21, 2009 at 8:37 PM, David Ladd <span dir="ltr"><<a href="mailto:daveladd@microsoft.com">daveladd@microsoft.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Consolas; color: rgb(31, 73, 125);">To be clear - we do both. We automate and standardize to the
extent possible, then advise/adjudicate as necessary for situations that don’t fit
the norm.</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Consolas; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Consolas; color: rgb(31, 73, 125);">Dave</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Consolas; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;"> Mike Boberski
[mailto:<a href="mailto:mike.boberski@gmail.com" target="_blank">mike.boberski@gmail.com</a>] <br>
<b>Sent:</b> Monday, December 21, 2009 5:22 PM<br>
<b>To:</b> Gary McGraw<br>
<b>Cc:</b> David Ladd; <a href="mailto:SC-L@securecoding.org" target="_blank">SC-L@securecoding.org</a>; <a href="mailto:dustin.sullivan@informit.com" target="_blank">dustin.sullivan@informit.com</a><div><div></div><div class="h5">
<br>
<b>Subject:</b> Re: [SC-L] InformIT: You need an SSG</div></div></span></p>
</div><div><div></div><div class="h5">
<p class="MsoNormal"> </p>
<p class="MsoNormal" style="margin-bottom: 12pt;">I dunno, the concept of
"SSG" seems overly broad to me. Looking at security libraries as a
feature or a module eliminates the us vs. them paradox. Adding a new second
security group is just twice as confrontational to the still single development
team.<br>
<br clear="all">
Mike<br>
<br>
</p>
<div>
<p class="MsoNormal">On Mon, Dec 21, 2009 at 7:20 PM, Gary McGraw <<a href="mailto:gem@cigital.com" target="_blank">gem@cigital.com</a>> wrote:</p>
<p><span style="font-size: 10pt; color: navy;">Hi
mike,<br>
<br>
The BSIMM calls out "security features and design" explicitly, and
covers that good idea. (Though watch out for generic one-size-fits-all
solutions.) An SSG helps with creation, review, and roll out of such. <br>
<br>
Calling an SSG a "committee" is pretty hilarious. I doubt any of the
100 microsoft SSG members think they are a committee. Hey ladd, how goes the
SDL committee?<br>
<br>
gem</span></p>
<div class="MsoNormal" style="text-align: center;" align="center">
<hr width="100%" align="center" size="2">
</div>
<p class="MsoNormal"><b><span style="font-size: 10pt;">From</span></b><span style="font-size: 10pt;">: Mike Boberski <br>
<b>To</b>: Gary McGraw <br>
<b>Cc</b>: Secure Code Mailing List ; Dustin Sullivan <br>
<b>Sent</b>: Mon Dec 21 19:01:37 2009<br>
<b>Subject</b>: Re: [SC-L] InformIT: You need an SSG </span></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom: 12pt;">Hi Gary.<br>
<br>
To play devil's advocate: <br>
<br>
Current organizational practices aside, I would say that organizations really
need more and better toolkits and standards for developers to use, than they
need more and better committees.<br>
<br>
A toolkit example that comes to mind, to keep this email short: the
highly-matrixed environment (and actually also the smaller environment, now
that I think about it) where developers fly on and off projects.<br>
<br>
Toolkits that enforce coding standards, and that are treated like any other
module of the application in terms of care and feeding, are the only things
that give security a fighting chance in environments like those. <br>
<br>
Best,<br>
<br>
Mike B.<br>
<br>
</p>
<div>
<p class="MsoNormal">On Mon, Dec 21, 2009 at 8:24 AM, Gary McGraw <<a href="mailto:gem@cigital.com" target="_blank">gem@cigital.com</a>> wrote:</p>
<p class="MsoNormal">hi sc-l,<br>
<br>
This list is made up of a bunch of practitioners (more than a thousand from
what Ken tells me), and we collectively have many different ways of promoting
software security in our companies and our clients. The BSIMM study <<a href="http://bsi-mm.com" target="_blank">http://bsi-mm.com</a>> focuses
attention on software security in large organizations and just at the moment
covers the work of 1554 full time employees working every day in 26 software
security initiatives. One phenomenon we observed in the BSIMM was that every
large initiative has a Software Security Group (SSG) to carry out and lead
software security activities.<br>
<br>
I wrote about our observations around SSGs in this month's informIT article:<br>
<br>
<a href="http://www.informit.com/articles/article.aspx?p=1434903" target="_blank">http://www.informit.com/articles/article.aspx?p=1434903</a><br>
<br>
Simply put, an SSG is a critical part of a software security initiative in all
companies with more than 100 developers. (We're still not sure about SSGs
in smaller organizations, but the BSIMM Begin data (now hovering at 75 firms)
may be revealing.)<br>
<br>
Cigital's SSG was formed in 1997 (with John Viega, Brad Arkin, and me as
founding members). Since its inception, we've helped plan, staff, and
carry out ten large software security initiatives in customer firms. One
of the most important first tasks is establishing an SSG.<br>
<br>
Merry New Year everybody.<br>
<br>
gem<br>
<br>
company <a href="http://www.cigital.com" target="_blank">www.cigital.com</a><br>
podcast <a href="http://www.cigital.com/silverbullet" target="_blank">www.cigital.com/silverbullet</a><br>
blog <a href="http://www.cigital.com/justiceleague" target="_blank">www.cigital.com/justiceleague</a><br>
book <a href="http://www.swsec.com" target="_blank">www.swsec.com</a><br>
<br>
_______________________________________________<br>
Secure Coding mailing list (SC-L) <a href="mailto:SC-L@securecoding.org" target="_blank">SC-L@securecoding.org</a><br>
List information, subscriptions, etc - <a href="http://krvw.com/mailman/listinfo/sc-l" target="_blank">http://krvw.com/mailman/listinfo/sc-l</a><br>
List charter available at - <a href="http://www.securecoding.org/list/charter.php" target="_blank">http://www.securecoding.org/list/charter.php</a><br>
SC-L is hosted and moderated by KRvW Associates, LLC (<a href="http://www.KRvW.com" target="_blank">http://www.KRvW.com</a>)<br>
as a free, non-commercial service to the software security community.<br>
_______________________________________________</p>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
<p class="MsoNormal"> </p>
</div></div></div>
</div>
</blockquote></div><br>