Secure Coding mailing list archives
Software process improvement produces secure software?
From: jjchryan at gwu.edu (Julie Ryan)
Date: Tue, 7 Aug 2007 12:52:55 -0400
A simple way to understand why implementing software development process improvement will not necessarily produce secure software is to read the Common Criteria. yes, I know that it's opaque and hard to understand, but once you have gone through the process of writing a Protection Profile for an implementation independent information technology application, it becomes a lot clearer why simply having a good software development process does not imply secure software. which is why I make all my students write a protection profile on a topic that I pick (the latest ones centered around computer forensics tools) On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote:
Dear list members. In june 2007, I had an interesting conversation with Mr. Will Hayes from SEI during the Brazilian Symposium on Software Quality. It was a great experience and I am very grateful for this. During our conversation, I made a question to Mr. Hayes similar to this: "Is it possible that only software development process improvements can produce secure software?" The scenario was only based on CMMI without security interference. His answer to this question was "YES". My answer was "I DO NOT THINK SO". His answer made me confuse and I had no arguments, mainly, because my professional experience in software process does not compare to Mr. Haye's experience. Unfortunately, I also haven't found any statistics which could answer this question. Please, if there is one, let me know! So, how about you, list members? What are your answers to the question above? I will try to organize your answers and present the final result. Thank you. Yours faithfully, Francisco Jos? Barreto Nunes. Alertas do Yahoo! Mail em seu celular. Saiba mais em http://br.mobile.yahoo.com/mailalertas/ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Julie J.C.H. Ryan, D.Sc. Assistant Professor Engineering Management and System Engineering George Washington University An NSA certified Center of Academic Excellence in Information Assurance Education http://www.seas.gwu.edu/~jjchryan/ http://www.seas.gwu.edu/~infosec/
Current thread:
- Software process improvement produces secure software? Francisco Nunes (Aug 07)
- Software process improvement produces secure software? Goertzel, Karen (Aug 07)
- Software process improvement produces secure software? McGovern, James F (HTSC, IT) (Aug 29)
- Software process improvement produces secure software? Julie Ryan (Aug 07)
- Software process improvement produces secure software? Kenneth Van Wyk (Aug 08)
- Software process improvement produces secure software? George Capehart (Aug 09)
- Really dumb questions? McGovern, James F (HTSC, IT) (Aug 29)
- Message not available
- Really dumb questions? Bret Watson (Aug 29)
- Really dumb questions? Robert C. Seacord (Aug 30)
- Software process improvement produces secure software? George Capehart (Aug 09)
- Really dumb questions? John Steven (Aug 30)
- Really dumb questions? Leichter, Jerry (Aug 30)
- Software process improvement produces secure software? Goertzel, Karen (Aug 07)