implementable process level secure development thoughts

[Kevin.Wall at qwest.com (Wall, Kevin)]

Andy,

You wrote...

> I have been working on developing a series of documents to turn the
> ideas encompassed on this list and in what I can find in books &
> articles.  I am not finding, and it may just be I am looking in the
> wrong places, for any information on how people are actually
> implementing the concepts.  I have found the high level ideas (like in
> "Software Security" and the MS SDL) and the low level code level
> rules, but there does not seem to be any information on how these two
> are being merged and used in actual development projects.  Are there
> any non-proprietary materials out there?
>
> If there are none, could this be part of the problem of getting secure
> development/design/testing/coding out into the real world?

Not sure what you are exactly looking for, but I recently reviewed
the book

        Integrating Security and Software Engineering: Advances and
        Future Vision, Mouratidis H., Giorgini P., IGI Global, 2006,
        ISBN-10: 1599041480, ISBN-13: 978-1599041483.

for Computing Reviews. (Review was posted online a 2 or 3 weeks ago.
Not sure if it's still up or not.) The cost for the book on Amazon.com
is ~$80.

This book covered some of the "gaps" that you may be referring to. E.g.,
it covered quite a few secure design methodologies and how they
(more or less) fit into an SDLC.

NOTE: This book is very academic in nature and difficult reading
and does not truly reflect current _practice_. However, it has a
excellent
bibliography that is useful if you wish to explore the topics more
deeply.
Can't really say much more about this (at least in a public forum)
because
Computing Reviews (http://www.reviews.com/) owns the copyright of the
review.

Contact me off-list if you want any specific question answered regarding
this book.

-kevin
---
Kevin W. Wall           Qwest Information Technology, Inc.
Kevin.Wall at qwest.com Phone: 614.215.4788
"It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration"
    - Edsger Dijkstra, How do we tell truths that matter?
      http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.