The US Dept of Defense has done some work on the procurement side of the problem. Here are two papers for those in very large bureaucracies who might be interested:
Best Software Assurance Practices in Acquisition of Trusted Systems http://www.cisse.info/colloquia/cisse10/proceedings10/pdfs/papers/ S02P03.pdf Software Assurance: Five Essential Considerations for Acquisition Officials http://www.stsc.hill.af.mil/CrossTalk/2007/05/0705PolydysWisseman.html On Jul 9, 2007, at 1:16 PM, McGovern, James F (HTSC, IT) wrote: > If you are seeking additional book ideas for this series, may I > suggest > posting to [EMAIL PROTECTED] > > There are two books that I would love to see: > > - Designing Secure Software - Not everything is about the code > - Procuring Secure Software - Most enterprises nowadays buy > software vs > build it > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gary McGraw > Sent: Thursday, July 05, 2007 9:01 AM > To: 'Brian Chess'; 'sc-l@securecoding.org' > Subject: Re: [SC-L] Secure Programming with Static Analysis > > Hi sc-l, > > I have read this awesome book (more than once) and can vouch for > it. It > is an important part of the addison-wesley software security > series, the > series that includes: > Software Security www.swsec.com > Rootkits > Exploiting Software > Building Secure Software > (and any day now Exploiting Online Games) > > For more on the series, see www.buildingsecurityin.com. We are always > on the lookout for more titles for the series, especially if they dive > deeply into one of the seven touchpoints, so if you have a book idea > please let me know. > > Meanwhile, click on this link and buy Brian and Jacob's book: > http://www.amazon.com/dp/0321424778 > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > blog www.cigital.com/justiceleague > book www.swsec.com > > > > ********************************************************************** > *** > This communication, including attachments, is > for the exclusive use of addressee and may contain proprietary, > confidential and/or privileged information. If you are not the > intended > recipient, any use, copying, disclosure, dissemination or > distribution is > strictly prohibited. If you are not the intended recipient, please > notify > the sender immediately by return e-mail, delete this communication and > destroy all copies. > ********************************************************************** > *** > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/ > listinfo/sc-l > List charter available at - http://www.securecoding.org/list/ > charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http:// > www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________