Software process improvement produces secure software?

[ken at krvw.com (Kenneth Van Wyk)]

On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote:
> During our conversation, I made a question to Mr.
> Hayes similar to this: "Is it possible that only
> software development process improvements can produce
> secure software?"
>
> The scenario was only based on CMMI without security
> interference.

All that follows is IMHO, of course...  I would have to agree with  
you, Francisco, that process improvements "without security  
interference" are unlikely to produce significant changes in the  
security of the software produced.

That said, I am a believer in somewhat more rigorous security-based  
software process.  In particular, I think it's worth spending  
additional time/effort delving into the non-functional aspects of  
software, from requirements gathering through design as well as  
during the implementation/coding phases.  I think that solutions that  
focus solely on implementation improvement are not sufficient.  To  
me, a vital component in improving throughout the dev process must  
focus on process improvement.

That is, process improvement based not (necessarily) on CMMI, and  
_with_ "security interference".  :-)  But I also don't like to see  
process for the sake of _process_.  I'm fine with intelligently  
applied ad hoc processes, if that's not too much of a contradiction  
in terms.

Cheers,

Ken
-----
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2454 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20070808/7927a01c/attachment.bin