Secure Coding mailing list archives

Software process improvement produces secure software?

From: goertzel_karen at bah.com (Goertzel, Karen)
Date: Tue, 7 Aug 2007 09:39:06 -0400

I've always had a question about this as well; specifically, what is really meant by "adding security to a CMM"?

I've always felt that the level at which the software (or system) process is defined by a CMM is too high and too 
abstract for the addition of security activities to be particularly meaningful.

My feeling is that a CMM is best used as a means of ensuring that the more detailed life cycle process is implemented 
in a disciplined manner, and that the amount of benefit, in terms of improvement of whatever property one is trying to 
improve - quality, reliability, security, safety - of the system/software that results from the process can be measured.

Where the actual security activities need to be defined and added are to the life cycle methodology. At best, adding 
security to a CMM can provide a very high level framework for helping someone who is "shopping" for a life cycle 
methodology know what to look for in that methodology. Is a CMM necessary for that purpose? I'm not convinced that it 
is.

I think what is likely to be more effective is a change in outlook by the practitioners who will be using the life 
cycle methodology. Their outlook needs to change so that a single question is asked before any choice or decision is 
made: What are the security implications of the choice/decision?

Of course, there's much more to it than just asking that question. And that's the reason we need to train developers, 
testers, etc. to (1) understand what "security" means, both at the software and system levels; (2) visualise and 
recognise the possible impact(s) each of their choices/decisions could have on the security of the system they are 
building (before the fact); (3) recognise the impacts each of their choices/decisions has had on the security of the 
system they have built (after the fact). Tools and techniques to help developers do the second and third of these are 
proliferating (e.g., threat modeling, attack trees, etc. for before-the-fact; analysis and testing tools for 
after-the-fact). But in the end, I believe the #1 factor that will contribute to the increased security of software is 
the developer's mentality. A security-aware...and more importantly, a security-*concerned&...developer is more likely 
to (1) avoid making bad choices and decisions, and (2) to take an interest in, and pursue becoming, knowledgeable 
enough to correct bad choices that he/she did not avoid making earlier.

--
Karen Mercedes Goertzel, CISSP
Booz Allen Hamilton
703.902.6981
goertzel_karen at bah.com




-----Original Message-----
From: sc-l-bounces at securecoding.org on behalf of Francisco Nunes
Sent: Tue 07-Aug-07 07:01
To: sc-l at securecoding.org
Subject: [SC-L] Software process improvement produces secure software?
 
Dear list members.

In june 2007, I had an interesting conversation with
Mr. Will Hayes from SEI during the Brazilian Symposium
on Software Quality. It was a great experience and I
am very grateful for this.

During our conversation, I made a question to Mr.
Hayes similar to this: "Is it possible that only
software development process improvements can produce
secure software?"

The scenario was only based on CMMI without security
interference.

His answer to this question was "YES". My answer was
"I DO NOT THINK SO".

His answer made me confuse and I had no arguments,
mainly, because my professional experience in software
process does not compare to Mr. Haye's experience.

Unfortunately, I also haven't found any statistics
which could answer this question. Please, if there is
one, let me know!

So, how about you, list members? What are your answers
to the question above?

I will try to organize your answers and present the
final result.

Thank you.

Yours faithfully,
Francisco Jos? Barreto Nunes.


      Alertas do Yahoo! Mail em seu celular. Saiba mais em http://br.mobile.yahoo.com/mailalertas/
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070807/b925d7be/attachment.html

Current thread:

Software process improvement produces secure software? Francisco Nunes (Aug 07)
- Software process improvement produces secure software? Goertzel, Karen (Aug 07)
  - Software process improvement produces secure software? McGovern, James F (HTSC, IT) (Aug 29)
- Software process improvement produces secure software? Julie Ryan (Aug 07)
- Software process improvement produces secure software? Kenneth Van Wyk (Aug 08)
  - Software process improvement produces secure software? George Capehart (Aug 09)
    - Really dumb questions? McGovern, James F (HTSC, IT) (Aug 29)
    - Message not available
    - Really dumb questions? Bret Watson (Aug 29)
    - Really dumb questions? Robert C. Seacord (Aug 30)
    - Really dumb questions? John Steven (Aug 30)
    - Really dumb questions? Leichter, Jerry (Aug 30)