Secure Coding mailing list archives
Technology-specific Security Standards
From: jsteven at cigital.com (John Steven)
Date: Wed, 23 May 2007 14:38:34 -0400
All, My last two posts to Cigital's blog covered whether or not to build your security standards specific to a technology-stack and code-centric or to be more general about them: http://www.cigital.com/justiceleague/2007/05/18/security-guidance-and-its-%e 2%80%9cspecificity-knob%e2%80%9d/ And http://www.cigital.com/justiceleague/2007/05/21/how-to-write-good-security-g uidance/ Dave posted a comment on the topic, which I'm quoting here: ----- Your point about the ?perishability? of such prescriptive checklists does make the adoption of such a program fairly high maintenance. Nothing wrong with that, but expectations should be set early that this would not be a fire and forget type of program, but rather an ongoing investment. ----- I agree, specifying guidance at this level does take a lot more effort; you get what you pay for eh? I responded in turn with a comment of my own. I've seen some organizations control this cost effectively and still get value: See: http://www.cigital.com/justiceleague/2007/05/18/security-guidance-and-its-%e 2%80%9cspecificity-knob%e2%80%9d/#comment-1048 Some people think my stand controversial... What do you guys think? ---- John Steven Technical Director; Principal, Software Security Group Direct: (703) 404-5726 Cell: (703) 727-4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 Blog: http://www.cigital.com/justiceleague Papers: http://www.cigital.com/papers/jsteven http://www.cigital.com Software Confidence. Achieved.
Current thread:
- Technology-specific Security Standards John Steven (May 23)
- Technology-specific Security Standards Benjamin Tomhave (May 23)