RE: Secure software development documents

["Scovetta, Michael V" <Michael.Scovetta () ca com>]

Udayan,

I would recommend first looking at OWASP (http://www.owasp.org/). Their
guide is relatively complete and of good quality. If you have $$$ to
spend, I would recommend the 2-day Blackhat course "Network Application
Design & Secure Implementation"
 (http://www.blackhat.com/html/bh-usa-04/train-bh-usa-04-dm.html)
I found the course to be incredibly helpful, and it comes with a custom
manual that is very detailed. Together, these two would probably get you
85% of the way there. The rest is (a) experience, (b) staying current
(bugtraq, webappsec, etc), and (c) just being an intelligent individual.

Mike Scovetta


-----Original Message-----
From: udayan pathak [mailto:udayan_pathak () yahoo com] 
Sent: Monday, July 26, 2004 7:19 AM
To: webappsec () securityfocus com; secprog () securityfocus com
Subject: Secure software development documents

Hi everyone

I have a query!
 

What are the documentation standards being followed as
far as secure software development is concerned? I
find that in the current software development process
the document generated do not/ barely cover the
security of the application being developed.

All the normal documents for requirement
specification, requirement tracking, high level and
low level design documents etc have nothing more than
a small section in their template format for security,
which looks more like a formality and hardly serves
the purpose.

Especially as far a software testing is concerned one
gets the feeling that the provision for security
testing in test cases gets diluted in the sea of
functionality testing.

Has anyone got any insights into this? or any other
standard being followed ?

Please let me know

 

Udayan Pathak


        
                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail