Gary McGraw based on his experience in interpreting BSIMM for the past four years jointly came up with the Ten Commandments for software security with Cigital Principals including Paco Hope, Scott Matsumoto, Sammy Migues, and John Steven. Here are 5 of the Ten Commandments as posted on searchsecurity.techtarget.com.
1. Lead your software security initiative (SSI) with a software security group (SSG)
Software Security Groups include people with good coding experience and architectural understanding. Thus, before adopting software security activities, companies should create a Software Security Group.
2. Rely on risk management and objective measurement using the BSIMM—not "Top Ten Lists" and vulnerability counts—to define SSI success
The BSIMM provides various measures for adopting Software Security Initiatives. It provides a detailed snapshot of the SSI which can be understood by the executives in the higher levels. One can compare his/her activities with others to determine if they are leading with regards to the initiative undertaken or whether they are at par with others or if they are below the mark.
3. Communicate with executives, directly linking SSI success to business value and comparing your firm against its peers
Executives at the higher level expect to see key performance indicators which include the various aspects of the Software Security Initiative. Testers are expected to fix the security problems. If they are not doing anything to fix the problem, they may be seen as a part of the problem.
4. Do not limit software security activity to only technical SDLC activities and especially not to penetration testing alone
It must be remembered that software security is not all about technical issues. Testers should take advantage of penetration testing but they must also know its limitations. The main limitation of penetration testing is that it is too expensive to fix a problem.
5. Grow and nurture software security professionals for your SSG
The best software security professionals are difficult to find. Therefore, in order to have a team of the best SSG members, developers can be taught about security. Gary McGraw looks for a person who can review the codes apart from fixing security problems and who is well aware of penetration testing.