implementable process level secure development thoughts

[roman.hustad at yahoo.com (Roman H.)]

Andy, I think this is a really good question.  I am not aware of any comprehensive non-proprietary materials that are 
available, although I know lots of companies have developed this sort of thing either internally or with the help of a 
consultancy (full disclosure: I'm a consultant).  I would agree with you that the apparent lack of concrete examples is 
probably hindering the spread of software security in the real world.  

In my experience, the actual software security processes that are implemented at a company need to be specifically 
tailored to fit with existing processes (i.e. SDLC, build and release) and technologies (e.g. CVS, Ant, testing tools, 
project management tools).  Because each company has a unique combination of processes/tools and even individual 
projects may have varying tolerance for risk and compliance requirements, there is no "standard" way of doing it.  That 
said, I think one or more case studies would be really helpful if they included things like: 

- source control branching to enforce code reviews and testing
- change control
- organization of the software security team
- sanitizing sensitive production data for development
- quick and dirty risk prioritization of applications
 - metrics

Some of this is already out there.  Things like threat modeling and penetration testing already have well documented 
methodologies so you could probably skip the detail for them. 

Gary McGraw just recently mentioned that he is looking for people to author books that provide this level of detail, so 
perhaps you could collaborate with him and get your documents published.  OWASP and the DHS Build Security In project 
are other options.  Can you provide the list with more detail about the particular topics you are writing about?

Roman Hustad



Andy Murren <amurren at gmail.com> wrote: I have been working on developing a series of documents to turn the
ideas encompassed on this list and in what I can find in books &
articles.  I am not finding, and it may just be I am looking in the
wrong places, for any information on how people are actually
implementing the concepts.  I have found the high level ideas (like in
"Software Security" and the MS SDL) and the low level code level
rules, but there does not seem to be any information on how these two
are being merged and used in actual development projects.  Are there
any non-proprietary materials out there?

If there are none, could this be part of the problem of getting secure
development/design/testing/coding out into the real world?

Thanks,

Andy
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20080311/4217c182/attachment.html