RE: Corsaire White Paper: Secure Development Framework

["Glyn Geoghegan" <glyng () corsaire com>]

Thanks Kevin.

This paper has focussed much more on security interaction with the
development process, but as you rightly mention, security should be
considered during the business requirements stage too.  

Security knowledge-share with the development team during the workshops and
other early phases provides a good opportunity to instil the right security
concerns in the team, and to ensure the functional requirements are properly
defined and understood.

It would be very interesting to get feedback from those already engaging in
a multi-phased approach to secure development, or to see how this kind of
strategy would be implemented in a more complex development life-cycle that
the good old waterfall model.

Regards,
Glyn.

> -----Original Message-----
> From: Flanagan, Kevin [mailto:Kevin.Flanagan () bmwfs com] 
> Sent: 26 May 2004 06:06
> To: 'Glyn Geoghegan'; webappsec () securityfocus com
> Subject: RE: Corsaire White Paper: Secure Development Framework
>
> This is a fairly well-written high-level review of the software design
> process.  It leaves out details on introducing security into 
> the business
> requirements process.  
>
> Even though security is predominantly a non-functional 
> requirement,  I feel
> that if you are going to ask a development team to design, 
> build, and test
> something, you should have some fairly specific  requirements 
> around how you
> expect that application to behave.  This is even more 
> important if you are
> going to be outsourcing development.  I feel you can save a 
> lot of confusion
> if you can articulate security requirements for an 
> application before the
> design even starts.  
>
> With that said, does anyone have any good references for building good
> non-functional security requirements for applications (both web and
> desktop).  I guess a lot of this can be covered in terms of 
> application
> development standards that go across any application 
> development, but has
> anyone successfully implemented security controls (standards, 
> guidelines,
> etc.) around the requirements process?
>
> -Kevin
>
> -----Original Message-----
> From: Glyn Geoghegan [mailto:glyng () corsaire com] 
> Sent: Tuesday, May 25, 2004 2:30 AM
> To: webappsec () securityfocus com
> Subject: Corsaire White Paper: Secure Development Framework
>
>
> Hi all,
>
> Corsaire's latest paper on strategies for produce secure 
> web-applications is
> now available at:
>
> http://www.corsaire.com/white-papers/
>
> This white paper deals with developing a secure framework, 
> both for internal
> and outsourced development.  Within this context, secure 
> development is
> considered to be the process of producing reliable, stable, bug and
> vulnerability free software.  This paper focuses on why a 
> secure development
> framework is needed, touches on its benefits and provides an 
> overview of how
> organisations can implement such strategies successfully.  A 
> simple software
> development model is used as an example in the paper, but the 
> theories are
> expected to be developed and adapted to suit the specific 
> methodologies and
> goals of any environment.
>
> Regards,
>
> Glyn Geoghegan
> www.corsaire.com
> +44 (0) 1483 226000