� End of Terrorism Statistics - Why Does Terrorism Occur? - Esquire | Main | Renaming ethernet adapters in Debian Etch (e.g. eth2 to eth0) �
January 19, 2009
InformIT: Software [In]security: Software Security Top 10 Surprises > Software Security Top 10 Surprises
Using the software security framework introduced in October (A Software Security Framework: Working Towards a Realistic Maturity Model), we interviewed nine executives running top software security programs in order to gather real data from real programs. Our goal is to create a maturity model based on these data, and we're busy working on that (stay tuned here for more). However, in the course of analyzing the data we gathered, we unearthed some surprises that we share in this article.
Nine Top Software Security Programs
Of the twenty-three large-scale software security initiatives we are aware of, we chose nine that we considered the most advanced. Our nine organizations are drawn from three verticals: financial services, independent software vendors, and technology firms.
On average, the target organizations have practiced software security for five years and four months (with the newest initiative being two and a half years old and the oldest initiative being a decade old). All nine have an internal group devoted to software security that we choose to call the Software Security Group or SSG. SSG size on average is 41 people (smallest 12, largest 100, median 35) with a "satellite" of others (developers, architects and people in the organization directly engaged in and promoting software security) of 79 people (smallest 0, largest 300, median 20). The average number of developers among our targets was 7550 people (smallest 450, largest 30,000, median 5000), yielding an average percentage of SSG to development of just over 1%.
We conducted the nine interviews in person and spent two hours going over each software security initiative in a conversation guided by the software security framework.
Posted by thdyck on January 19, 2009
Trackback Pings
TrackBack URL for this entry:
http://blog.dyck.org/mt-tb.cgi/617
Comments
Post a comment
Thanks for signing in, . Now you can comment. (sign out)
(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)