[trustable-software] OpenSAMM vs TSFdn
Colin Robbins
colin.robbins at qonex.com
Fri Sep 9 12:40:09 UTC 2016
Hello Paul,
For info, I have made the folk at the TSI/TFDn aware of this discussion, and
hopefully they will respond on about how to get involved. From my
understanding it's an open process, conducted via working group meetings, but
not conducted online. The pace of progress has slowed of late and it will be
interesting to see how this evolves.
Another organisation I have become aware of is BSIMM (Building Security In
Maturity Model) [1].
Its focused on Security, so does not cover safety aspects.
Their specification is open, and available for download; they also have a good
looking list of commercial supporters.
Getting involved in developing the spec, seem to be via membership of BSIMM,
but I'm not certain.
Please don't misunderstand - I'm not against the suggestion of developing
OpenSAMM, rather trying to make sure we engage the communities that have
already spent lots of effort in thinking about these issues.
Cheers,
[1] https://www.bsimm.com/
Colin Robbins
Qonex (the consulting arm of Nexor)
Tel: +44 (0) 115 953 5541
-----Original Message-----
From: Paul Sherwood [mailto:paul.sherwood at codethink.co.uk]
Sent: 31 August 2016 11:29
To: dah at seriousaboutsecurity.com; Colin Robbins <colin.robbins at qonex.com>
Cc: trustable-software at lists.veristac.io
Subject: OpenSAMM vs TSFdn
Hi Colin, Duncan
I've now had a chance to digest some of the material from TSI/TSFdn and from
OpenSAMM and would be very interested in your (and others') thoughts on the
following:
TSI/TFDn [1]
========
- I can't accept this group's strong claim that 'Software Trustworthiness has
5 facets. They are Safety, Reliability, Availability, Resilience and
Security.' I'm pretty sure there are more facets than that, for example
provenance - if we don't know where the software has come from, how can it
possibly be 'trustworthy'?
- One of the outputs is a British Standard [3]. Unfortunately my practical
experience with standards and certification authorities has been
disappointing, since the motivations of the respective parties often misalign
versus achieving best engineering results. Certification is often more
marketing than technical - organisations pay so they can tick the box on sales
responses and stick the logo on their website.
- I can't find any actual community or independent discussion around the TSI
work. It's not clear to me how I or anyone is expected to actually get
involved, other than by spending time wading through their website, and doing
the twitter/linkedin/facebook dance (!!!).
- I did notice the news page [2] doesn't include anything since April, and
wonder if this is more a behind-closed-doors organisation - which would be
odd, since I think most experts have concluded that open is best for security
these days. One of the things I'm very sensitive to, based on experience, is
the need to avoid 'echo chamber' thinking, and get multiple independent
people/organisations critiquing each other's ideas. It would be fantastic if
we could encourage more TSI people to join this discussion, for example - I'm
sure there's more value in their work and experience than what I've been able
to learn so far.
OpenSAMM [3]
========
- the main link [3] has been down for a while, which ironically demonstrates
one of the weaknesses in community efforts - we shouldn't actually rely on
community-sponsored infrastructure for critical things.
- In spite of the web troubles, I like the SAMM work a lot, not least because
there's a visible community [4] and the history of at least some of their
reasoning and outputs public, for example [5] and [6]
- the SAMM model is strong on checklists and measuring things, with examples,
and the style is easy to reason about and to apply
- the framework has grown up in the context of security for online (primarily
web) services, but I think the approach could be usefully extended for other
kinds of software and systems, and also for other facets of trustability.
- SAMM is licensed CC-BY-SA, which means we could safely reuse and build on it
to address further factors for trustability.
- And I happen to know one of the lead contributors (Pravir Chandra) from
another context, which strengthens my belief that the underlying foundations
are worth considering.
So I'm now considering the possibility of encouraging some people to look into
building and extending on the SAMM model, for example
- towards embedded devices and IoT
- towards safety-critical software
- towards longterm maintainability of systems
br
Paul
[1] http://tsfdn.org
[2] http://tsfdn.org/latest-news/
[3] http://www.opensamm.org
[3] http://shop.bsigroup.com/ProductDetail/?pid=000000000030284608
[4] http://lists.owasp.org/pipermail/samm/
[5] https://github.com/OWASP/samm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4833 bytes
Desc: not available
URL: <https://lists.veristac.io/pipermail/trustable-software/attachments/20160909/19276e7f/attachment.bin>
More information about the trustable-software
mailing list