My starting point is sort of simple, how to weave secure development
into the basic SDLC.  I am assuming that regardless of what you call
the steps most folks use a multi step process.  Working with a 5 step
process (Plan, Design, Develop, Test, Deploy) what is added to each of
those steps.  A lot of focus in on the Develop and Test steps with
code standards and static code analysis tools.  There is some higher
level work at the Plan and Design stages, and there does not seem to
be much at the Deploy.  The post-deployment maintenance is barely
covered in the reading I have done to date.

I have a lot of questions about each step, here are a few:

o During development and in post-deployment how does new information
about threats gets tracked and added to the designers/developers
knowledge base to both correct current mistakes and to avoid making
mistakes in the future?

o What are good metrics for measuring success that are objective and
can be tracked in a meaningful way for bill payers?

o When you add an application (third party or internally developed) to
your network, what is an objective way of determining the actual
security threat to your infrastructure?

o What is the thinking on the tools to use to make sure important
requirements, be they external legally mandated or internal standards,
are included at the design phase? Are people using the Security
Requirements Traceability Matix (SRTM) from DoD or are they using
something else?

This is just an example of the many things I am wondering about.  I am
in the same position and many on not being in a position to reveal
company secrets, but I am looking to learn from experience of others
and having an on going discussion on what seems to me to be the next
logical step in the maturation of this field.

I would like to thank everyone for their feed back so far on this topic,

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to