All, My last two posts to Cigital's blog covered whether or not to build your security standards specific to a technology-stack and code-centric or to be more general about them:
http://www.cigital.com/justiceleague/2007/05/18/security-guidance-and-its-%e 2%80%9cspecificity-knob%e2%80%9d/ And http://www.cigital.com/justiceleague/2007/05/21/how-to-write-good-security-g uidance/ Dave posted a comment on the topic, which I'm quoting here: ----- Your point about the ³perishability² of such prescriptive checklists does make the adoption of such a program fairly high maintenance. Nothing wrong with that, but expectations should be set early that this would not be a fire and forget type of program, but rather an ongoing investment. ----- I agree, specifying guidance at this level does take a lot more effort; you get what you pay for eh? I responded in turn with a comment of my own. I've seen some organizations control this cost effectively and still get value: See: http://www.cigital.com/justiceleague/2007/05/18/security-guidance-and-its-%e 2%80%9cspecificity-knob%e2%80%9d/#comment-1048 Some people think my stand controversial... What do you guys think? ---- John Steven Technical Director; Principal, Software Security Group Direct: (703) 404-5726 Cell: (703) 727-4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 Blog: http://www.cigital.com/justiceleague Papers: http://www.cigital.com/papers/jsteven http://www.cigital.com Software Confidence. Achieved. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
