Secure Coding mailing list archives
Estimating security effort on software development project
From: "Kreusch, Stephen \(ZA - Johannesburg\)" <skreusch () deloitte co za>
Date: Fri, 28 Jan 2005 18:19:26 +0000
A client of mine is planning on developing a replacement system for their existing retail solution. The client is a retail holding company, with approximately 10 chains, selling clothing, shoes, books, stationery, etc. The solution will likely be based on the Avanade (http://www.avanade.com/) framework. I have been giving thought to where security could be involved, and estimating effort/cost. An approach of: "Well, the overall project will cost X so give us a security budget of 1% of X" will not work. Business/IT management would like the security team to be involved throughout the process, which could include: - Ongoing risk assessment and risk management, prioritisation of security issues for fixing, informing and interacting with business to decide what is addressed, what risks they are willing to accept, etc. - Security requirements development/review - Threat modelling, (ab)use cases, etc. - Security architecture development/review - Secure coding principles/guidelines and review (including developer training up front) - Application controls definition/review (e.g. roles, segregation of duties, etc.) - Security test script development/execution - Infrastructure/environment security requirements, hardening, lockdown, etc. - Pre-implementation security review - Post-implementation security review - etc. etc. What am I missing which could be added to the list? ***** More importantly, for each of these, how do you estimate security involvement effort/cost? ***** Or put another way, in your experience, what factors have you considered for each security element listed above, and in your experience how long did it actually take? For example, adding security requirements to use cases should be pretty simple. Take the use cases and expand them to properly cover security. Number of use cases (unknown at this stage) x effort per use case = Y. However, abuse/misuse cases are something that the security team would develop from scratch rather that working off a use case provided by a developer. How long does each abuse case take to develop? Similarly, focusing on only the important code blocks w.r.t. security, how long? Can code review effort be estimated based on total lines of code? What is the minimum and maximum time for a code review? Any help would be appreciated. Thanks Stephen Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by visiting our website and viewing the webpage at the following address: http://www.deloitte.com/za/disclaimer. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to [EMAIL PROTECTED]
Current thread:
- Estimating security effort on software development project Kreusch, Stephen (ZA - Johannesburg) (Jan 28)