[SAMM] Supply Chain
Christian Heinrich
i.e. https://lists.owasp.org/pipermail/samm/2011-February/000285.html
I would like to draw your attention to
http://blogs.oracle.com/maryanndavidson/entry/those_who_can_t_do,
specifically:
1. Common Criteria vs SAST
2. The disclosure of IP to
http://www.dsd.gov.au/infosec/aisep/providers.htm vs .gov
3. External Audit vs Internal Audit
I will add this to http://code.google.com/p/opensamm/issues/list for
consideration but wanted to allow discussion first because there is a
lot of (sometimes confusing) information to take in - I recommend
multiple readings :)
--
Regards,
Christian Heinrich
http://www.owasp.org/index.php/user:cmlh
_______________________________________________
SAMM mailing list
SA...@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/samm
Pravir Chandra
seems like a decent rant. Go ahead and add something about Supply Chain
to the issue tracker since it definitely has come up before and we
didn't explicitly decide on how SAMM should address that space. My
general feeling is that endorsing some kind of test isn't the right
approach. Rather, I like what Colin proposed a while back which was to
pick an assurance level (i.e. a vector of scores across the 12 SAMM
practices) and ask your vendors to comply and produce some evidence of that.
p.
On 8/30/11 9:05 PM, Christian Heinrich wrote:
> In relation to thread on incorporating the supply chain into OpenSAMM
> i.e. https://lists.owasp.org/pipermail/samm/2011-February/000285.html
> I would like to draw your attention to
> http://blogs.oracle.com/maryanndavidson/entry/those_who_can_t_do,
> specifically:
>
> 1. Common Criteria vs SAST
> 2. The disclosure of IP to
> http://www.dsd.gov.au/infosec/aisep/providers.htm vs .gov
> 3. External Audit vs Internal Audit
>
> I will add this to http://code.google.com/p/opensamm/issues/list for
> consideration but wanted to allow discussion first because there is a
> lot of (sometimes confusing) information to take in - I recommend
> multiple readings :)
>
>
Christian Heinrich
On Thu, Sep 1, 2011 at 5:42 AM, Pravir Chandra <cha...@owasp.org> wrote:
> Wow,I didn't read all of Mary Ann's post, but from the parts I read, seems
> like a decent rant. Go ahead and add something about Supply Chain to the
> issue tracker since it definitely has come up before and we didn't
> explicitly decide on how SAMM should address that space. My general feeling
> is that endorsing some kind of test isn't the right approach. Rather, I like
http://www.veracode.com/blog/2011/08/musings-on-custers-last-stand/ is
Veracode's response.
Andre Gironda also raises some excellent counterpoints to Veracode in
their blog post.
On Thu, Sep 1, 2011 at 5:42 AM, Pravir Chandra <cha...@owasp.org> wrote:
> what Colin proposed a while back which was to pick an assurance level (i.e.
> a vector of scores across the 12 SAMM practices) and ask your vendors to
> comply and produce some evidence of that.
I would like to see something similar to the level of effort similar
to the TOV within ASVS with a percentage of code reviewed after
continuous integration (CI).
Since I am also referring to CI we may as well include measuring the
maturity of the dev toolchain (in a non vendor specific way) too.
--
Regards,
Christian Heinrich
http://www.owasp.org/index.php/user:cmlh