[SC-L] implementable process level secure development thoughts

2008-03-11 Thread Andy Murren
I have been working on developing a series of documents to turn the
ideas encompassed on this list and in what I can find in books 
articles.  I am not finding, and it may just be I am looking in the
wrong places, for any information on how people are actually
implementing the concepts.  I have found the high level ideas (like in
Software Security and the MS SDL) and the low level code level
rules, but there does not seem to be any information on how these two
are being merged and used in actual development projects.  Are there
any non-proprietary materials out there?

If there are none, could this be part of the problem of getting secure
development/design/testing/coding out into the real world?

Thanks,

Andy
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] implementable process level secure development thoughts

2008-03-11 Thread Gary McGraw
Hi Andy,

We build and then execute plans to do that kind of activity all the time at 
Cigital.  Unfortunately, the plans are all highly tailored to the politics and 
operations of our specific customers, and they are proprietary.

Basically they do involve several aspects in common if you step way back and 
squint:
* roles and responsibilities for disparate groups
* a rollout plan for different touchpoints (including tools)
* a portal for secdev data (guidelines, rules, tool usage data, ...)
* a training program with ties to HR and advancement
* legal guidance and assurance case plans for legacy and COTS software

A plan for a large scale software security initiative usually encompasses 
activities slated to span several years.   We have rolled them out in 
multi-national enterprises with over 10,000 developers.  Measurement helps.

Check out chapter 10 in Software Security for slightly more.  Hope that helps.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


On 3/11/08 12:20 PM, Andy Murren [EMAIL PROTECTED] wrote:

I have been working on developing a series of documents to turn the
ideas encompassed on this list and in what I can find in books 
articles.  I am not finding, and it may just be I am looking in the
wrong places, for any information on how people are actually
implementing the concepts.  I have found the high level ideas (like in
Software Security and the MS SDL) and the low level code level
rules, but there does not seem to be any information on how these two
are being merged and used in actual development projects.  Are there
any non-proprietary materials out there?

If there are none, could this be part of the problem of getting secure
development/design/testing/coding out into the real world?

Thanks,

Andy
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] implementable process level secure development thoughts

2008-03-11 Thread Andy Murren
Roman,

My starting point is sort of simple, how to weave secure development
into the basic SDLC.  I am assuming that regardless of what you call
the steps most folks use a multi step process.  Working with a 5 step
process (Plan, Design, Develop, Test, Deploy) what is added to each of
those steps.  A lot of focus in on the Develop and Test steps with
code standards and static code analysis tools.  There is some higher
level work at the Plan and Design stages, and there does not seem to
be much at the Deploy.  The post-deployment maintenance is barely
covered in the reading I have done to date.

I have a lot of questions about each step, here are a few:

o During development and in post-deployment how does new information
about threats gets tracked and added to the designers/developers
knowledge base to both correct current mistakes and to avoid making
mistakes in the future?

o What are good metrics for measuring success that are objective and
can be tracked in a meaningful way for bill payers?

o When you add an application (third party or internally developed) to
your network, what is an objective way of determining the actual
security threat to your infrastructure?

o What is the thinking on the tools to use to make sure important
requirements, be they external legally mandated or internal standards,
are included at the design phase? Are people using the Security
Requirements Traceability Matix (SRTM) from DoD or are they using
something else?

This is just an example of the many things I am wondering about.  I am
in the same position and many on not being in a position to reveal
company secrets, but I am looking to learn from experience of others
and having an on going discussion on what seems to me to be the next
logical step in the maturation of this field.

I would like to thank everyone for their feed back so far on this topic,

Andy
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] implementable process level secure development thoughts

2008-03-11 Thread Wall, Kevin
Andy,

You wrote...

 I have been working on developing a series of documents to turn the
 ideas encompassed on this list and in what I can find in books 
 articles.  I am not finding, and it may just be I am looking in the
 wrong places, for any information on how people are actually
 implementing the concepts.  I have found the high level ideas (like in
 Software Security and the MS SDL) and the low level code level
 rules, but there does not seem to be any information on how these two
 are being merged and used in actual development projects.  Are there
 any non-proprietary materials out there?
 
 If there are none, could this be part of the problem of getting secure
 development/design/testing/coding out into the real world?

Not sure what you are exactly looking for, but I recently reviewed
the book

Integrating Security and Software Engineering: Advances and
Future Vision, Mouratidis H., Giorgini P., IGI Global, 2006,
ISBN-10: 1599041480, ISBN-13: 978-1599041483.

for Computing Reviews. (Review was posted online a 2 or 3 weeks ago.
Not sure if it's still up or not.) The cost for the book on Amazon.com
is ~$80.

This book covered some of the gaps that you may be referring to. E.g.,
it covered quite a few secure design methodologies and how they
(more or less) fit into an SDLC.

NOTE: This book is very academic in nature and difficult reading
and does not truly reflect current _practice_. However, it has a
excellent
bibliography that is useful if you wish to explore the topics more
deeply.
Can't really say much more about this (at least in a public forum)
because
Computing Reviews (http://www.reviews.com/) owns the copyright of the
review.

Contact me off-list if you want any specific question answered regarding
this book.

-kevin
---
Kevin W. Wall   Qwest Information Technology, Inc.
[EMAIL PROTECTED]   Phone: 614.215.4788
It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration
- Edsger Dijkstra, How do we tell truths that matter?
  http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___