Andy, I think this is a really good question. I am not aware of any comprehensive non-proprietary materials that are available, although I know lots of companies have developed this sort of thing either internally or with the help of a consultancy (full disclosure: I'm a consultant). I would agree with you that the apparent lack of concrete examples is probably hindering the spread of software security in the real world.
In my experience, the actual software security processes that are implemented at a company need to be specifically tailored to fit with existing processes (i.e. SDLC, build and release) and technologies (e.g. CVS, Ant, testing tools, project management tools). Because each company has a unique combination of processes/tools and even individual projects may have varying tolerance for risk and compliance requirements, there is no "standard" way of doing it. That said, I think one or more case studies would be really helpful if they included things like: - source control branching to enforce code reviews and testing - change control - organization of the software security team - sanitizing sensitive production data for development - quick and dirty risk prioritization of applications - metrics Some of this is already out there. Things like threat modeling and penetration testing already have well documented methodologies so you could probably skip the detail for them. Gary McGraw just recently mentioned that he is looking for people to author books that provide this level of detail, so perhaps you could collaborate with him and get your documents published. OWASP and the DHS Build Security In project are other options. Can you provide the list with more detail about the particular topics you are writing about? Roman Hustad Andy Murren <[EMAIL PROTECTED]> wrote: I have been working on developing a series of documents to turn the ideas encompassed on this list and in what I can find in books & articles. I am not finding, and it may just be I am looking in the wrong places, for any information on how people are actually implementing the concepts. I have found the high level ideas (like in "Software Security" and the MS SDL) and the low level code level rules, but there does not seem to be any information on how these two are being merged and used in actual development projects. Are there any non-proprietary materials out there? If there are none, could this be part of the problem of getting secure development/design/testing/coding out into the real world? Thanks, Andy _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________