> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Goertzel, Karen
> Sent: 25 June 2007 19:49
> To: Secure Coding
> Subject: [SC-L] But what proof do we have that any of it 
> makes a difference?
> 
> There are two closely-related questions that keep arising for 
> which I still can find no satisfying answer (for me 
> "satisfying" means "supported by concrete evidence"):
> 
> [1] Will using a secure SDLC methodology (or a set of secure 
> development "best practices") actually produce software that 
> will, when deployed "in the wild" resist or tolerate attacks 
> and attempted executions of inserted/embedded malicious code 
> better than software whose developers did not use a secure 
> SDLC methodology?
> 
> [2] Will software that adheres to a set of "security 
> principles", when deployed "in the wild", actually resist or 
> tolerate attacks and attempted execution of inserted/embedded 
> malicious code better than software whose developers did not 
> adhere to security principles?
> 
> 
You might find some useful evidence here: 

http://www.praxis-his.com/pdfs/issse2006tokeneer.pdf

The NSA were cetainly impressed with benefits of a rigorous engineering
approach to software development.

Peter

--------------------------------------------------------

Peter Amey BSc ACGI CEng CITP MRAes FBCS


CTO (Software Engineering)

direct:   +44 (0) 1225 823761

mobile: +44 (0) 7774 148336

[EMAIL PROTECTED]

 

Praxis High Integrity Systems Ltd

20 Manvers St, Bath, BA1 1PX, UK

t: +44 (0)1225 466991

f: +44 (0)1225 469006

w: www.praxis-his.com

--------------------------------------------------------

 


This email is confidential and intended solely for the use of the individual to 
whom it is addressed. If you are not the intended recipient, be advised that 
you have received this email in error and that any use, disclosure, copying or 
distribution or any action taken or omitted to be taken in reliance on it is 
strictly prohibited. If you have received this email in error please contact 
the sender. Any views or opinions presented in this email are solely those of 
the author and do not necessarily represent those of Praxis. 

Although this email and any attachments are believed to be free of any virus or 
other defect, no responsibility is accepted by Praxis or any of its associated 
companies for any loss or damage arising in any way from the receipt or use 
thereof. The IT Department at Praxis can be contacted at [EMAIL PROTECTED]

Praxis High Integrity Systems Ltd:

Company Number: 3302507, registered in England and Wales

Registered Address: 20 Manvers Street, Bath. BA1 1PX

VAT Registered in Great Britain: 682635707


_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Reply via email to