Gary, Could you clarify your (and/or the BSIMM) position on "secure by design" vs "designed to be secure"? You're encouraging the adoption of secure-by-design building blocks, as a part of SFD2.1, but then warning that "designed to be secure" != "secure". I can think of examples/ways that what you've said can be true, but am not sure what you're actually referring to.
Of course we all know that all systems have design and implementation defects, though solid processes can significantly reduce the number of those. And we all can think of plenty of examples of security add-ons that have actually worsened the true vulnerability of the resulting software system. >From my perspective, there are a lot of security frameworks out there that help software engineers "do the same thing more securely", and then there are approaches that fundamentally change the way the "thing" is done. One example might be giving someone a better strcpy() on the one hand, versus entirely swapping out their imperative programming paradigm for a more declarative one. Thanks, - Greg Gary McGraw wrote, On 10/21/2011 11:14 AM: > The particular BSIMM activity in questions is SFD2.1 (one of the 109 BSIMM > activities). Here is its description from page 27 of the BSIMM: > SFD2.1: **Build secure-by-design middleware frameworks/common libraries.** > The SSG takes a proactive role in software design by building or providing > pointers to secure-by-design middleware frameworks or common libraries. ... > What is implied is > a warning that even things designed to be secure often may not be > (buyer...or cut-n-paster...beware). _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
