Re: Secure Software Development Checklist

[Erin Carroll <amoeba () amoebazone com>]

There are many different SDLC processes out there. RUP, Agile, Extreme, 
the various DoJ processes... The Wikipedia entry for SDLC is actually 
useful (!) as a starting point from a process perspective.

Tools-wise there are also some avenues to look into: Mercury, 
DevInspect/QAInspect from SPI Dynamics (now HP), FxCop, and others.

This is one of those seemingly simple questions with a bazillion correct 
answers... depending on your particulars :)

Since this is a PCI-driven initiative, talk with your auditors to get 
their specific requirements and then tailor your SDLC process to meet 
their requirements while also making sure you don't cause a revolt at the 
dev level with onerous processes :0

--
Erin Carroll
Moderator, SecurityFocus pen-test list


On Thu, 1 Nov 2007, mikef () everfast com wrote:

> Because I'm the resident security expert, I've been tasked with helping 
> our developers ensure new applications meet industry standard 
> (particularly PCI) security requirements. I'm thinking about doing some 
> sort of checklist that could be used to verify the particular 
> requirements are met during the development phase, but I'm not sure 
> where to start.=20
>
> Most of the secure coding information relates to web applications, 
> however I need to develop rules for a variety of applications ranging 
> from web to DOS (yes that's Ms-DOS) to point of sale. Also could the 
> checklist be used for a variety programming languages.=