Start State

It's easy to visualize a world where you can actually trust the software you use. In fact, a lot of people try to pretend they live in that world right now! While the end state is easy to imagine, a lot of organizations have a lot more trouble figuring out how to exit the start state. In other words, what do you do first? How will you know if you're making progress? How do you know when you've arrived?

We're going to try to answer some of those questions by creating a maturity model for software security. Based on a first draft created largely by Pravir Chandra, we've set up a software security framework. Check it out here.

Now the data are starting to roll in. Gary McGraw, Sammy Migues, and I just finished our first round of maturity model interviews. We're talking to the people in charge of some of the most successful initiatives in the world and mapping what they've accomplished into the framework. We've got a huge amount of work in front of us, but the results are already fascinating.