Secure Coding mailing list archives
Really dumb questions?
From: rcs at cert.org (Robert C. Seacord)
Date: Thu, 30 Aug 2007 08:57:24 -0400
James, Bret- I agree with Bret that security and quality are inherently related (as well as many other system attributes). I think vendors (particularly sales guys) tend to reflect back to customers what they are hearing from other customers. So I think many customers go to these vendors asking for "security"solutions or looking for just general "QA" tools. Of course, there are also subsets of coding defects that are more high correlated with security vulnerabilities which is what a vendor often means by "a security focus". rCs
At 10:51 PM 29/08/2007, McGovern, James F (HTSC, IT) wrote:- So when a vendor says that they are focused on quality and not security, and vice versa what exactly does this mean? I don't have a great mental model of something that is a security concern that isn't a predictor of quality. Likewise, in terms of quality, other than producing metrics on things such as depth of inheritance, cyclomatic complexity, etc wouldn't bad numbers here at least be a predictor of a bad design and therefore warrant deeper inspection from a security perspective?My opinion is that security and quality are inherently related. Poor security indicates poor design, poor testing etc poor quality management tends to result in poor application security.. In fact two jobs ago I used this argument to implement security at a company who was extremely strong in quality (5% of the workforce belonged to the quality dept). I've also found that using "quality" tools such as FMECA etc for security assessments works very easily. Cheers Bret _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
-- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989
Current thread:
- Software process improvement produces secure software? Francisco Nunes (Aug 07)
- Software process improvement produces secure software? Goertzel, Karen (Aug 07)
- Software process improvement produces secure software? McGovern, James F (HTSC, IT) (Aug 29)
- Software process improvement produces secure software? Julie Ryan (Aug 07)
- Software process improvement produces secure software? Kenneth Van Wyk (Aug 08)
- Software process improvement produces secure software? George Capehart (Aug 09)
- Really dumb questions? McGovern, James F (HTSC, IT) (Aug 29)
- Message not available
- Really dumb questions? Bret Watson (Aug 29)
- Really dumb questions? Robert C. Seacord (Aug 30)
- Software process improvement produces secure software? George Capehart (Aug 09)
- Really dumb questions? John Steven (Aug 30)
- Really dumb questions? Leichter, Jerry (Aug 30)
- Software process improvement produces secure software? Goertzel, Karen (Aug 07)