Roman, My starting point is sort of simple, how to weave secure development into the basic SDLC. I am assuming that regardless of what you call the steps most folks use a multi step process. Working with a 5 step process (Plan, Design, Develop, Test, Deploy) what is added to each of those steps. A lot of focus in on the Develop and Test steps with code standards and static code analysis tools. There is some higher level work at the Plan and Design stages, and there does not seem to be much at the Deploy. The post-deployment maintenance is barely covered in the reading I have done to date.
I have a lot of questions about each step, here are a few: o During development and in post-deployment how does new information about threats gets tracked and added to the designers/developers knowledge base to both correct current mistakes and to avoid making mistakes in the future? o What are good metrics for measuring success that are objective and can be tracked in a meaningful way for bill payers? o When you add an application (third party or internally developed) to your network, what is an objective way of determining the actual security threat to your infrastructure? o What is the thinking on the tools to use to make sure important requirements, be they external legally mandated or internal standards, are included at the design phase? Are people using the Security Requirements Traceability Matix (SRTM) from DoD or are they using something else? This is just an example of the many things I am wondering about. I am in the same position and many on not being in a position to reveal company secrets, but I am looking to learn from experience of others and having an on going discussion on what seems to me to be the next logical step in the maturation of this field. I would like to thank everyone for their feed back so far on this topic, Andy _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________