Secure Coding mailing list archives

Software process improvement produces secure software?

From: jjchryan at gwu.edu (Julie Ryan)
Date: Tue, 7 Aug 2007 12:52:55 -0400

A simple way to understand why implementing software development 
process improvement will not necessarily produce secure software is to 
read the Common Criteria.

yes, I know that it's opaque and hard to understand, but once you have 
gone through the process of writing a Protection Profile for an 
implementation independent information technology application, it 
becomes a lot clearer why simply having a good software development 
process does not imply secure software.

which is why I make all my students write a protection profile on a 
topic that I pick (the latest ones centered around computer forensics 
tools)


On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote:

Dear list members.

In june 2007, I had an interesting conversation with
Mr. Will Hayes from SEI during the Brazilian Symposium
on Software Quality. It was a great experience and I
am very grateful for this.

During our conversation, I made a question to Mr.
Hayes similar to this: "Is it possible that only
software development process improvements can produce
secure software?"

The scenario was only based on CMMI without security
interference.

His answer to this question was "YES". My answer was
"I DO NOT THINK SO".

His answer made me confuse and I had no arguments,
mainly, because my professional experience in software
process does not compare to Mr. Haye's experience.

Unfortunately, I also haven't found any statistics
which could answer this question. Please, if there is
one, let me know!

So, how about you, list members? What are your answers
to the question above?

I will try to organize your answers and present the
final result.

Thank you.

Yours faithfully,
Francisco Jos? Barreto Nunes.


      Alertas do Yahoo! Mail em seu celular. Saiba mais em 
http://br.mobile.yahoo.com/mailalertas/
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - 
http://krvw.com/mailman/listinfo/sc-l
List charter available at - 
http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC 
(http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Julie J.C.H. Ryan, D.Sc.
Assistant Professor
Engineering Management and System Engineering
George Washington University

An NSA certified Center of Academic Excellence in Information Assurance 
Education

http://www.seas.gwu.edu/~jjchryan/
http://www.seas.gwu.edu/~infosec/

Current thread:

Software process improvement produces secure software? Francisco Nunes (Aug 07)
- Software process improvement produces secure software? Goertzel, Karen (Aug 07)
  - Software process improvement produces secure software? McGovern, James F (HTSC, IT) (Aug 29)
- Software process improvement produces secure software? Julie Ryan (Aug 07)
- Software process improvement produces secure software? Kenneth Van Wyk (Aug 08)
  - Software process improvement produces secure software? George Capehart (Aug 09)
    - Really dumb questions? McGovern, James F (HTSC, IT) (Aug 29)
    - Message not available
    - Really dumb questions? Bret Watson (Aug 29)
    - Really dumb questions? Robert C. Seacord (Aug 30)
    - Really dumb questions? John Steven (Aug 30)
    - Really dumb questions? Leichter, Jerry (Aug 30)