WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: secure software engineering methodology

From: Gunnar Peterson <gunnar () arctecgroup net>
Date: Mon, 22 Mar 2004 13:37:07 -0600
I did a Blackhat presentation on integrating security concerns into software development methodologies. The presentation addresses some artifacts which already exist in a "normal" software development methodology which can be used to address security aspects, and other artifacts which are security specific but need to be mapped to the process. Slides are at: www.arctecgroup.net/articles.htm (and at www.blackhat.com).
As to the question on RUP v. XP for security, both have elements which can be useful for security architecture, but neither gives a holistic treatment to security. So there is extensive tailoring to make either methodology address security in an end to end sense. 

-Gunnar

On Mar 22, 2004, at 7:37 AM, Mads Rasmussen wrote:
Do any of you have any experience with methodologies for software engineering of secure software?
If you read the book "building secure software" by John Viega and Gary McGraw it says that extreme programming isn't good for security projects.
I was considering applying RUP, the Rational Unified Process, but I think that it must be customized to consider security aspects.
Do you have any experience with methodologies for software engineering of secure software? I remember you saying in the book "building secure software" that extreme programming isn't good for security projects.
If you search papers by Matt Bishop [1], Edward Amoroso [2] and several others you will only find bits and pieces. Non of them refer to a specific methodology, some tries to fit the Common Criteria [3] into the development process. 
A paper that comes close is [4] by Marshall D. Abrams.
I know for a fact that AT&T Bell labs has a secure development methodology called TSM, the Trusted Software Methodology. But nothing seems published publicly about the contents and its workings.
[1] "Software Security Checklist for the Software Life Cycle" - Matt Bishop, David P. Gilliam, Thomas L. Wolfe and Josef S. Sherif
[2] "A Process-Oriented Methodology for Assessing and Improving Software Trustworthiness" - Edwurd Amoroso, Carol Taylor, John Watson and Jonathan Weiss.
[3] "Secure Systems Development: Based on the Common Criteria:The PalME Project" - Monika Vetterling, Guido Wimmel and Alexander Wisspeintner
[4] "Security Engineering in an Evolutionary Acquisition Environment" - Marshall D. Abrams 



Gunnar Peterson
Arctec Group
www.arctecgroup.net
Previous By Date Next
Previous By Thread Next

Current thread: