Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

[Fwd: secure software engineering methodology - aftermath]

From: Mads Rasmussen <mads () opencs com br>
Date: Fri, 02 Apr 2004 19:26:47 +0100


Thought this would fit in here....

earlier posts can be found following 
http://www.securityfocus.com/archive/107/358125


Sorry to those who have seen it before

I have learned since posting this that NIST will hold a conference on 
security in the development process at the end of the year.


Comments are most wellcome

Mads
-----

Thanks to all who responded to my question on methodologies used in
security projects.

To sum up, some work is going on in that area. There seems to have been
a fear of joining known methodologies with security aspects due to fear
of hard critism.

However some authors have overcome that fear

John Viega is doing a security plug-in for RUP and Gunnar Peterson is
doing a book where he lists several methods to be used in the analysis 
phase of a project without referering specifically to RUP, XP or others.


Other books and approaches were presented to me. Some prefer using part
two of Common Criteria to evaluate risks in the project design phase.
Some love the unittests of XP, some hate them, some say RUP is overkill
for security projects, some say it can be costumized really well to
serve well including risk analysis in the elaboration phase.
There is alot of oppinions out there, each person has his own experience 
in this matters and thus thinks accordingly.
So there's no answers, there is no "best practices", ofcause 
methodologies have always had a point of interpretation, but something 
more specific than what is available today would come in handy.


It would be nice with more discussions on these subjects, there's the
Rational conference where Viega will present his plug-in, but there
should be a specific forum for a securty methodology, after all it's too 
important to leave up to each one to make up his own ideas and approach 
as is common practice as of now (according to the comments from the list 
at least). Maybe there is such a forum? If yes, could someone please 
enlighten me?


There is some security methodologies available developed by AT&T and 
DoD, but they are not publicly available, not to a non-american anyway.


I would still appreciate someone sending me a copy of "Trusted Software
Development Methodology", published by the Department of Defense
Strategic Defense Initiative Organization. The document number is
SDI-S-SD-91-000007, dated 17 June 1992 (two volumes).

A Gabriel Sjoberg responded that he had a copy, but he seems to have
vanished.

I am still open for comments on these matters.....

Regards,

Mads Rasmussen
Security Consultant
Open Communications Security
+55 11 3345 2525
Previous By Date Next
Previous By Thread Next

Current thread: