Re: Security Capability Maturity Model

Ron Resnick (
Fri, 17 Oct 1997 12:21:05 +0200

At 10:17 AM 10/16/97 -0700, Rohit Khare wrote:

>At that moment, it occurred to me that there is even a very literal link
>from security to software process. I pulled out the CMM paper to explain
>the concept of organizational maturity and realized that it applies exactly
>to the kinds of security practices I've observed in industry.


SEI CMM, and its cousin ISO certification, are a bunch of BS, if you ask me
(you didn't - but I'm telling you anyway).

I know of lots of companies doing one or both, and I've been involved in
design shops compliant to both CMM and ISO at Nortel and IBM. Lots of
paperwork, lots of wasted time, lots of sniggers and disdain. No benefit.
Have you ever been through an audit? Biggest pile of crap I've ever seen.
I've seen projects pass audits spotlessly where the very basic notions
of what the project was about, who it's customers were, what it's design
staff was trying to do, was totally unclear. And I've seen audits come down
hard on essentially well-run development processes, and fuck them up
so badly with revised procedures and documentation trails that they pretty
much destroyed the cohesiveness of the project.

Let these 'quality experts' into your shop, and you're courting disaster.

I'm not anti-quality, or against
pride in good effective work habits. I just don't believe
CMM or ISO have any real relationship, in the actual working world, to
these things.

Ok, so perhaps you're taken more with CMM as a theoretical model of how
organizations mature, as opposed to an empiric standardization test. But
the reality is that businesses could give two hoots about what a bunch
of theorists think - they only get in on this stuff because it's like
being 'evironmentally friendly' - you have to be buzzword compliant since
you're customers expect it.

<These comments not endorsed by IBM>