Secure Coding mailing list archives
[Fwd: secure software engineering methodology - aftermath]
From: Mads Rasmussen <mads () opencs com br>
Date: Fri, 02 Apr 2004 19:26:47 +0100
Thought this would fit in here.... earlier posts can be found following http://www.securityfocus.com/archive/107/358125 Sorry to those who have seen it before I have learned since posting this that NIST will hold a conference on security in the development process at the end of the year. Comments are most wellcome Mads ----- Thanks to all who responded to my question on methodologies used in security projects. To sum up, some work is going on in that area. There seems to have been a fear of joining known methodologies with security aspects due to fear of hard critism. However some authors have overcome that fear John Viega is doing a security plug-in for RUP and Gunnar Peterson is doing a book where he lists several methods to be used in the analysis phase of a project without referering specifically to RUP, XP or others. Other books and approaches were presented to me. Some prefer using part two of Common Criteria to evaluate risks in the project design phase. Some love the unittests of XP, some hate them, some say RUP is overkill for security projects, some say it can be costumized really well to serve well including risk analysis in the elaboration phase. There is alot of oppinions out there, each person has his own experience in this matters and thus thinks accordingly. So there's no answers, there is no "best practices", ofcause methodologies have always had a point of interpretation, but something more specific than what is available today would come in handy. It would be nice with more discussions on these subjects, there's the Rational conference where Viega will present his plug-in, but there should be a specific forum for a securty methodology, after all it's too important to leave up to each one to make up his own ideas and approach as is common practice as of now (according to the comments from the list at least). Maybe there is such a forum? If yes, could someone please enlighten me? There is some security methodologies available developed by AT&T and DoD, but they are not publicly available, not to a non-american anyway. I would still appreciate someone sending me a copy of "Trusted Software Development Methodology", published by the Department of Defense Strategic Defense Initiative Organization. The document number is SDI-S-SD-91-000007, dated 17 June 1992 (two volumes). A Gabriel Sjoberg responded that he had a copy, but he seems to have vanished. I am still open for comments on these matters..... Regards, Mads Rasmussen Security Consultant Open Communications Security +55 11 3345 2525
Current thread:
- [Fwd: secure software engineering methodology - aftermath] Mads Rasmussen (Apr 02)