We need a no-frills and roughly-right life-cycle to raise our level of software Security Assurance. Right now there are several security life-cycles both in the wild and available through vendors. None of those attend to the full spectrum of security and risk needs. Most are heavily centered around software testing but the security umbrella is much larger than that.
Maybe more importantly development and delivery methodologies have changed drastically over the last couple of years. This is even becoming true of the large scale enterprise shops. The pace of everything is increasing and the limited number of security practitioners can no longer scale to fit the need.
We need a security development life-cycle that truly effects security assurance.
- Make security an enabler for development teams
- Scale security to where it needs to be
- Fit any development methodology
- Cover the major aspects of security
- Increase the overall level of security assurance
- The essential security checklist
- An SDL knowledgebase driven by the community
- A platform that enables continuous improvement
A basic framework for the concept has been built around a Wiki and the OpenSAMM. This framework should be good enough to grow the idea and determine if it will add security value. The current version is here:
If you would like to be involved drop me a note at