While I was running around between the Berkeley Data Breaches conference and SOURCE Boston, Gary McGraw and Brian Chess were releasing the Building Security In Maturity Model.
Lots has been said, so I’d just like to quote one little bit:
One could build a maturity model for software security theoretically (by pondering what organizations should do) or one could build a maturity model by understanding what a set of distinct organizations have already done successfully. The latter approach is both scientific and grounded in the real world, and is the one we followed.
It’s long, but an easy and worthwhile read if you’re thinking of putting together or improving your software security practice.
Incidentally, my boss also commented on our work blog “Building Security In Maturity Model on the SDL Blog.”