On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote:
During our conversation, I made a question to Mr. Hayes similar to this: "Is it possible that only software development process improvements can produce secure software?"The scenario was only based on CMMI without security interference.
All that follows is IMHO, of course... I would have to agree with you, Francisco, that process improvements "without security interference" are unlikely to produce significant changes in the security of the software produced.
That said, I am a believer in somewhat more rigorous security-based software process. In particular, I think it's worth spending additional time/effort delving into the non-functional aspects of software, from requirements gathering through design as well as during the implementation/coding phases. I think that solutions that focus solely on implementation improvement are not sufficient. To me, a vital component in improving throughout the dev process must focus on process improvement.
That is, process improvement based not (necessarily) on CMMI, and _with_ "security interference". :-) But I also don't like to see process for the sake of _process_. I'm fine with intelligently applied ad hoc processes, if that's not too much of a contradiction in terms.
Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com
Description: S/MIME cryptographic signature
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________