Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Technology-specific Security Standards

From: jsteven at cigital.com (John Steven)
Date: Wed, 23 May 2007 14:38:34 -0400
All,

My last two posts to Cigital's blog covered whether or not to build your
security standards specific to a technology-stack and code-centric or to be
more general about them:

http://www.cigital.com/justiceleague/2007/05/18/security-guidance-and-its-%e
2%80%9cspecificity-knob%e2%80%9d/

And

http://www.cigital.com/justiceleague/2007/05/21/how-to-write-good-security-g
uidance/

Dave posted a comment on the topic, which I'm quoting here:
-----
Your point about the ?perishability? of such prescriptive checklists does
make the adoption of such a program fairly high maintenance. Nothing wrong
with that, but expectations should be set early that this would not be a
fire and forget type of program, but rather an ongoing investment.
-----

I agree, specifying guidance at this level does take a lot more effort; you
get what you pay for eh? I responded in turn with a comment of my own. I've
seen some organizations control this cost effectively and still get value:

See:
http://www.cigital.com/justiceleague/2007/05/18/security-guidance-and-its-%e
2%80%9cspecificity-knob%e2%80%9d/#comment-1048

Some people think my stand controversial...

What do you guys think?

----
John Steven
Technical Director; Principal, Software Security Group
Direct: (703) 404-5726 Cell: (703) 727-4034
Key fingerprint = 4772 F7F3 1019 4668 62AD  94B0 AE7F EEF4 62D5 F908

Blog: http://www.cigital.com/justiceleague
Papers: http://www.cigital.com/papers/jsteven

http://www.cigital.com
Software Confidence. Achieved.
Previous By Date Next
Previous By Thread Next

Current thread: