[SC-L] implementable process level secure development thoughts
I have been working on developing a series of documents to turn the ideas encompassed on this list and in what I can find in books articles. I am not finding, and it may just be I am looking in the wrong places, for any information on how people are actually implementing the concepts. I have found the high level ideas (like in Software Security and the MS SDL) and the low level code level rules, but there does not seem to be any information on how these two are being merged and used in actual development projects. Are there any non-proprietary materials out there? If there are none, could this be part of the problem of getting secure development/design/testing/coding out into the real world? Thanks, Andy ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] implementable process level secure development thoughts
Hi Andy, We build and then execute plans to do that kind of activity all the time at Cigital. Unfortunately, the plans are all highly tailored to the politics and operations of our specific customers, and they are proprietary. Basically they do involve several aspects in common if you step way back and squint: * roles and responsibilities for disparate groups * a rollout plan for different touchpoints (including tools) * a portal for secdev data (guidelines, rules, tool usage data, ...) * a training program with ties to HR and advancement * legal guidance and assurance case plans for legacy and COTS software A plan for a large scale software security initiative usually encompasses activities slated to span several years. We have rolled them out in multi-national enterprises with over 10,000 developers. Measurement helps. Check out chapter 10 in Software Security for slightly more. Hope that helps. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 3/11/08 12:20 PM, Andy Murren [EMAIL PROTECTED] wrote: I have been working on developing a series of documents to turn the ideas encompassed on this list and in what I can find in books articles. I am not finding, and it may just be I am looking in the wrong places, for any information on how people are actually implementing the concepts. I have found the high level ideas (like in Software Security and the MS SDL) and the low level code level rules, but there does not seem to be any information on how these two are being merged and used in actual development projects. Are there any non-proprietary materials out there? If there are none, could this be part of the problem of getting secure development/design/testing/coding out into the real world? Thanks, Andy ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] implementable process level secure development thoughts
Andy, You wrote... I have been working on developing a series of documents to turn the ideas encompassed on this list and in what I can find in books articles. I am not finding, and it may just be I am looking in the wrong places, for any information on how people are actually implementing the concepts. I have found the high level ideas (like in Software Security and the MS SDL) and the low level code level rules, but there does not seem to be any information on how these two are being merged and used in actual development projects. Are there any non-proprietary materials out there? If there are none, could this be part of the problem of getting secure development/design/testing/coding out into the real world? Not sure what you are exactly looking for, but I recently reviewed the book Integrating Security and Software Engineering: Advances and Future Vision, Mouratidis H., Giorgini P., IGI Global, 2006, ISBN-10: 1599041480, ISBN-13: 978-1599041483. for Computing Reviews. (Review was posted online a 2 or 3 weeks ago. Not sure if it's still up or not.) The cost for the book on Amazon.com is ~$80. This book covered some of the gaps that you may be referring to. E.g., it covered quite a few secure design methodologies and how they (more or less) fit into an SDLC. NOTE: This book is very academic in nature and difficult reading and does not truly reflect current _practice_. However, it has a excellent bibliography that is useful if you wish to explore the topics more deeply. Can't really say much more about this (at least in a public forum) because Computing Reviews (http://www.reviews.com/) owns the copyright of the review. Contact me off-list if you want any specific question answered regarding this book. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. [EMAIL PROTECTED] Phone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___