[trustable-software] OpenSAMM vs TSFdn

Colin Robbins colin.robbins at qonex.com
Fri Sep 9 12:40:09 UTC 2016


Hello Paul,

For info,  I have made the folk at the TSI/TFDn aware of this discussion, and 
hopefully they will respond on about how to get involved.  From my 
understanding it's an open process, conducted via working group meetings, but 
not conducted online.   The pace of progress has slowed of late and it will be 
interesting to see how this evolves.

Another organisation I have become aware of is BSIMM (Building Security In 
Maturity Model) [1].
Its focused on Security, so does not cover safety aspects.
Their specification is open, and available for download; they also have a good 
looking list of commercial supporters.
Getting involved in developing the spec, seem to be via membership of BSIMM, 
but I'm not certain.

Please don't misunderstand - I'm not against the suggestion of developing 
OpenSAMM, rather trying to make sure we engage the communities that have 
already spent lots of effort in thinking about these issues.

Cheers,


[1] https://www.bsimm.com/

Colin Robbins
Qonex (the consulting arm of Nexor)

Tel: +44 (0) 115 953 5541

-----Original Message-----
From: Paul Sherwood [mailto:paul.sherwood at codethink.co.uk]
Sent: 31 August 2016 11:29
To: dah at seriousaboutsecurity.com; Colin Robbins <colin.robbins at qonex.com>
Cc: trustable-software at lists.veristac.io
Subject: OpenSAMM vs TSFdn

Hi Colin, Duncan
I've now had a chance to digest some of the material from TSI/TSFdn and from 
OpenSAMM and would be very interested in your (and others') thoughts on the 
following:

TSI/TFDn [1]
========
- I can't accept this group's strong claim that 'Software Trustworthiness has 
5 facets. They are Safety, Reliability, Availability, Resilience and 
Security.' I'm pretty sure there are more facets than that, for example 
provenance - if we don't know where the software has come from, how can it 
possibly be 'trustworthy'?

- One of the outputs is a British Standard [3]. Unfortunately my practical 
experience with standards and certification authorities has been 
disappointing, since the motivations of the respective parties often misalign 
versus achieving best engineering results. Certification is often more 
marketing than technical - organisations pay so they can tick the box on sales 
responses and stick the logo on their website.

- I can't find any actual community or independent discussion around the TSI 
work. It's not clear to me how I or anyone is expected to actually get 
involved, other than by spending time wading through their website, and doing 
the twitter/linkedin/facebook dance (!!!).

- I did notice the news page [2] doesn't include anything since April, and 
wonder if this is more a behind-closed-doors organisation - which would be 
odd, since I think most experts have concluded that open is best for security 
these days. One of the things I'm very sensitive to, based on experience, is 
the need to avoid 'echo chamber' thinking, and get multiple independent 
people/organisations critiquing each other's ideas. It would be fantastic if 
we could encourage more TSI people to join this discussion, for example - I'm 
sure there's more value in their work and experience than what I've been able 
to learn so far.

OpenSAMM [3]
========
- the main link [3] has been down for a while, which ironically demonstrates 
one of the weaknesses in community efforts - we shouldn't actually rely on 
community-sponsored infrastructure for critical things.
- In spite of the web troubles, I like the SAMM work a lot, not least because 
there's a visible community [4] and the history of at least some of their 
reasoning and outputs public, for example [5] and [6]
- the SAMM model is strong on checklists and measuring things, with examples, 
and the style is easy to reason about and to apply
- the framework has grown up in the context of security for online (primarily 
web) services, but I think the approach could be usefully extended for other 
kinds of software and systems, and also for other facets of trustability.
- SAMM is licensed CC-BY-SA, which means we could safely reuse and build on it 
to address further factors for trustability.
- And I happen to know one of the lead contributors (Pravir Chandra) from 
another context, which strengthens my belief that the underlying foundations 
are worth considering.

So I'm now considering the possibility of encouraging some people to look into 
building and extending on the SAMM model, for example
- towards embedded devices and IoT
- towards safety-critical software
- towards longterm maintainability of systems

br
Paul

[1] http://tsfdn.org
[2] http://tsfdn.org/latest-news/
[3] http://www.opensamm.org
[3] http://shop.bsigroup.com/ProductDetail/?pid=000000000030284608
[4] http://lists.owasp.org/pipermail/samm/
[5] https://github.com/OWASP/samm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4833 bytes
Desc: not available
URL: <https://lists.veristac.io/pipermail/trustable-software/attachments/20160909/19276e7f/attachment.bin>


More information about the trustable-software mailing list