On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote:
During our conversation, I made a question to Mr.
Hayes similar to this: "Is it possible that only
software development process improvements can produce
secure software?"

The scenario was only based on CMMI without security

All that follows is IMHO, of course... I would have to agree with you, Francisco, that process improvements "without security interference" are unlikely to produce significant changes in the security of the software produced.

That said, I am a believer in somewhat more rigorous security-based software process. In particular, I think it's worth spending additional time/effort delving into the non-functional aspects of software, from requirements gathering through design as well as during the implementation/coding phases. I think that solutions that focus solely on implementation improvement are not sufficient. To me, a vital component in improving throughout the dev process must focus on process improvement.

That is, process improvement based not (necessarily) on CMMI, and _with_ "security interference". :-) But I also don't like to see process for the sake of _process_. I'm fine with intelligently applied ad hoc processes, if that's not too much of a contradiction in terms.


Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to