WebApp Sec mailing list archives
Re: Secure software development documents
From: roger.smith () calyonfinancial com
Date: Mon, 26 Jul 2004 09:29:12 -0500
Good subjects.....but I'm not sure what subject you're inquiring about..... The security of the finished app? The security of the process of developing apps? For the finished app I can recommend a "risk based" approach: An analysis should occur at the outset during project definition to determine the stakes of the application in terms of these security concerns: Availability of information Confidentiality of information Integrity of information Proof or Audit trail of information management events (who changed what and when)
From knowing the stakes the analysts can pose scenarios that would affect
ACIP. IT and business management can propose measures to mitigate those risks. They may be technical or operational - Technical - RAID, data validation, authentication, encryption etc. Operational - Double signature procedures, human checks and balances etc. The business owner (the group that lives and dies on the apps) will have to negotiate with IT on what technical measures can be employed based on budget and resources etc.. The mitigating measures chosen should become part of the specification of work. The implementation of these measures will be tested and signed off just as any other part of the app development specs would be. This risk based approach requires a cultural acceptance in the organization. I have found that cultures averse to such an approach prefer things fast and loose and believe they can live with less quality in their final product. My motto "Go slower to go faster". From the aged craftsman that taught me - "Measure twice; cut once". There are resources on the internet that speak to Risk Based Security models. I have proposed here a small out-take of one such program I have had good results with. For the process of developing apps? Look into "Expert Programming Methodology". That methodology is truly centered on - Go slower to go faster. Roger Smith udayan pathak <udayan_pathak@ya hoo.com> To webappsec () securityfocus com, 07/26/2004 06:18 secprog () securityfocus com AM cc Subject Secure software development documents Hi everyone I have a query! What are the documentation standards being followed as far as secure software development is concerned? I find that in the current software development process the document generated do not/ barely cover the security of the application being developed. All the normal documents for requirement specification, requirement tracking, high level and low level design documents etc have nothing more than a small section in their template format for security, which looks more like a formality and hardly serves the purpose. Especially as far a software testing is concerned one gets the feeling that the provision for security testing in test cases gets diluted in the sea of functionality testing. Has anyone got any insights into this? or any other standard being followed ? Please let me know Udayan Pathak __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail DISCLAIMER: This communication may contain privileged and/or confidential information and is intended only for the use of the individual or entity to whom it is addressed. No waiver of confidentiality or privilege is made by mistransmission. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized dissemination, distribution, reading, printing, copying and/or use of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the sender by return e-mail and delete this message from your system as well as destroy any paper copies made. Calyon Financial makes no representation or warranty regarding the correctness of any information contained herein, or the appropriateness of any transaction for any person. Nothing herein shall be construed as a recommendation to buy or sell any financial instrument or security.
Current thread:
- Secure software development documents udayan pathak (Jul 26)
- Re: Secure software development documents roger . smith (Jul 26)
- <Possible follow-ups>
- RE: Secure software development documents Scovetta, Michael V (Jul 26)
- RE: Secure software development documents Mark Curphey (Jul 26)
- RE: Secure software development documents Dinis Cruz (Jul 27)
- RE: Secure software development documents Asanka Priyanjitih (Jul 27)