Murray's comments on McGraw's new book off the mark

[Carolyn Meinel <cmeinel () techbroker com>]

Yesterday in the SANS NewsBytes, Bill Murray made a comment about
Gary McGraw's new book on software security that was off the mark:
"Wrong focus.  Most of these 'touchpoints' are about late flaw
detection and removal." However, even a cursory reading of "Software
Security: Building Security In" (Addison Wesley, 2006) makes it
evident that McGraw emphasizes early prevention.

McGraw's touchpoints are:
1) Requirements and use cases
2) Architecture and Design
3) Test plans
4) Code
5) Tests and test results
6) Feedback from the field

The first four come before new software even runs for the first time.
Furthermore, McGraw makes a powerful case of the economic value of
those first four. For example, Fig. 2-2 on page 74 shows "Security
ROI (Return on Investment) by Phase." It assigns the highest ROI to
the first two touchpoints, which are the pre-coding design phases. It
assigns the lowest ROI to testing. Figure 3-2 on page 92 shows "Cost
of Fixing Defects at Each Stage of Software Development." It shows an
almost zero cost for avoiding defects in the requirements and design
phases, slightly more to the coding phase, and by far the highest
cost to the last two touchpoints of testing and maintenance.

Furthermore, McGraw's approach to software security is entirely
consistent with the CMMI Guidelines for Process Integration and
Development, and therefore is within the mainstream of  engineering
quality control. He adds essential details relevant to computer
security to known good practices in any engineering design process.
By contrast, essentially everything anyone else has written about
computer security falls into the category of fixing existing defects.

If computer security professionals want to ensure the viability of
their careers over the upcoming decades, knowledge of how to build
security into the software development process will be a big asset.
As Keith Rhodes, Chief Technologist and Director, Center for
Technology and Engineering at the Government Accounting Office has
said, "You can pay me now by coding it right, or pay me later. Go to
the bookstore and check out the computer shelves. They come in two
sections: books about crap, and books about how to survive crap.
Surviving means workarounds, and they introduce their own problems."
The success of McGraw's series of books on software security suggests
that many software developers are getting religion: don't code crap any more!


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/