Re: [SC-L] Bugs and flaws

2006-02-07 Thread Julie Ryan
8 principles with 2 more from physical security that apply only imperfectly to computer systems On Feb 7, 2006, at 9:59 AM, Jeff Williams wrote: I'm not sure which of the three definitions in Brian's message you're not concurring with,

Re: [SC-L] Secure Programming with Static Analysis

2007-07-09 Thread Julie Ryan
The US Dept of Defense has done some work on the procurement side of the problem. Here are two papers for those in very large bureaucracies who might be interested: Best Software Assurance Practices in Acquisition of Trusted Systems

Re: [SC-L] Software process improvement produces secure software?

2007-08-07 Thread Julie Ryan
A simple way to understand why implementing software development process improvement will not necessarily produce secure software is to read the Common Criteria. yes, I know that it's opaque and hard to understand, but once you have gone through the process of writing a Protection Profile for