Company Blog
Follow-up: Integrating Assessment Tools
My last post spawned some questions, which I responded to in turn. Here was my response: [Adapters] Adapters for assessment results can take a few forms, but let’s address three specific scenarios that fan-in to an assessment results/presentation step and a few that fan-out. [Fan in] Fan in typically comes from three sources: 1) static [...]
Maturity Models vs. Top 10 Lists
A few back, I wrote about Maturity Models vs. ASVS. On SC-L, a ‘discussion’ broke out regarding Maturity Models (MM) vs. Top N lists. Like ASVS, Top 10 lists target a different problem than MMs. In particular, the discussion focused around how one should enhance their assessment practices. I’ve edited and reproduced my SC-L post [...]
Marketing Will Kill Federated Identity on the Web
Warning: a fair amount of cynicism occurs in this post. Some of my buddies have been exchanging ideas of what keeps us interested and one friend was thinking about how he could use a user’s Facebook login on his site. This nudge along with some work I’m doing with federated identity and Amazon SSO all [...]
Security folk often carry Macs, is that an endorsement?
The Geekonomics blog is often good. A new post indicates Appleās veneer of more secure than Microsoft is cracking. It was only a matter of time. I wanted to clarify that though you see a lot of security consultants carrying Macs, in Cigital’s case, it’s not an endorsement. Again, in the interest of disclosure: though [...]
Improving Software Security (Maturity Models and Their Ilk?)
Ben Worthen broke the BSIMM story on wsj.com as was posted earlier. I was shocked when someone said, “Oh and ASVS is also available, great” on an OWASP list. Super, I thought, but I don’t understand the connection. When I looked at the WSJ site, I noticed Jim Manico (of OWASP, Aspect, and ASVS fame) [...]
Announcing the Building Security In Maturity Model (BSIMM)
The first phase in our endeavor to bring some science to software security is at a close. Our science-y approach started with some anthropology several months ago. We asked nine firms to tell us about their software security group (SSG), its inception, its activities, and the success it has achieved. The result is the Building [...]
