Re: [SC-L] Software process improvement produces secure software?
One thing that I am firm in my belief is that process is not a substitute for competence. Imagine taking lots of overweight IT guys and training them to ride a horse. That doesn't mean that they will go on to become successful horse jockeys and you would be dumb to bet on them. In terms of CMMi, my thought says that buyers of consulting services and enterprise software need an independent way of quantifying what they are buying from a security perspective. While the logic used in outsourcing is flawed, buyers still prefer outsourcing firms that have higher levels of CMMI than those that don't. In the same way this listserv attempts to help folks write secure software, we need a way to help folks also procure secure software and stealing some aspects of CMMi while compromising some level of integrity will have lift in the long run. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goertzel, Karen Sent: Tuesday, August 07, 2007 9:39 AM To: sc-l@securecoding.org Subject: Re: [SC-L] Software process improvement produces secure software? I've always had a question about this as well; specifically, what is really meant by "adding security to a CMM"? I've always felt that the level at which the software (or system) process is defined by a CMM is too high and too abstract for the addition of security activities to be particularly meaningful. My feeling is that a CMM is best used as a means of ensuring that the more detailed life cycle process is implemented in a disciplined manner, and that the amount of benefit, in terms of improvement of whatever property one is trying to improve - quality, reliability, security, safety - of the system/software that results from the process can be measured. Where the actual security activities need to be defined and added are to the life cycle methodology. At best, adding security to a CMM can provide a very high level framework for helping someone who is "shopping" for a life cycle methodology know what to look for in that methodology. Is a CMM necessary for that purpose? I'm not convinced that it is. I think what is likely to be more effective is a change in outlook by the practitioners who will be using the life cycle methodology. Their outlook needs to change so that a single question is asked before any choice or decision is made: What are the security implications of the choice/decision? Of course, there's much more to it than just asking that question. And that's the reason we need to train developers, testers, etc. to (1) understand what "security" means, both at the software and system levels; (2) visualise and recognise the possible impact(s) each of their choices/decisions could have on the security of the system they are building (before the fact); (3) recognise the impacts each of their choices/decisions has had on the security of the system they have built (after the fact). Tools and techniques to help developers do the second and third of these are proliferating (e.g., threat modeling, attack trees, etc. for before-the-fact; analysis and testing tools for after-the-fact). But in the end, I believe the #1 factor that will contribute to the increased security of software is the developer's mentality. A security-aware...and more importantly, a security-*concerned&...developer is more likely to (1) avoid making bad choices and decisions, and (2) to take an interest in, and pursue becoming, knowledgeable enough to correct bad choices that he/she did not avoid making earlier. -- Karen Mercedes Goertzel, CISSP Booz Allen Hamilton 703.902.6981 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] on behalf of Francisco Nunes Sent: Tue 07-Aug-07 07:01 To: sc-l@securecoding.org Subject: [SC-L] Software process improvement produces secure software? Dear list members. In june 2007, I had an interesting conversation with Mr. Will Hayes from SEI during the Brazilian Symposium on Software Quality. It was a great experience and I am very grateful for this. During our conversation, I made a question to Mr. Hayes similar to this: "Is it possible that only software development process improvements can produce secure software?" The scenario was only based on CMMI without security interference. His answer to this question was "YES". My answer was "I DO NOT THINK SO". His answer made me confuse and I had no arguments, mainly, because my professional experience in software process does not compare to Mr. Haye's experience. Unfortunately, I also haven't found any statistics which could answer this question. Please, if there is one, let me know! So, how about you, list members? What are your answers to the question above? I will try to organize your answers and present the final result. Thank you. Yours faithfully, Francisco José B
Re: [SC-L] Software process improvement produces secure software?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kenneth Van Wyk wrote: > > On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote: >> During our conversation, I made a question to Mr. >> Hayes similar to this: "Is it possible that only >> software development process improvements can produce >> secure software?" >> >> The scenario was only based on CMMI without security >> interference. > > All that follows is IMHO, of course... I would have to agree with you, > Francisco, that process improvements "without security interference" are > unlikely to produce significant changes in the security of the software > produced. Hola all, Was waiting to see if anyone threw out the SSE-CMM (System Security Engineering Capability Maturity Model). Though it's directed at the whole SDLC and not just the software development process, IMHO it's good to have in one's back pocket when planning it . . . Cheers, /g -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGu6uPmuGMnN1wNOoRAscyAJ0Vecx3l73w0W1gLJnQnVD/Hj7Y2wCfaL7s Ilqrf32fLf2x7N1tlqR/2kE= =gGpu -END PGP SIGNATURE- ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Software process improvement produces secure software?
On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote: During our conversation, I made a question to Mr. Hayes similar to this: "Is it possible that only software development process improvements can produce secure software?" The scenario was only based on CMMI without security interference. All that follows is IMHO, of course... I would have to agree with you, Francisco, that process improvements "without security interference" are unlikely to produce significant changes in the security of the software produced. That said, I am a believer in somewhat more rigorous security-based software process. In particular, I think it's worth spending additional time/effort delving into the non-functional aspects of software, from requirements gathering through design as well as during the implementation/coding phases. I think that solutions that focus solely on implementation improvement are not sufficient. To me, a vital component in improving throughout the dev process must focus on process improvement. That is, process improvement based not (necessarily) on CMMI, and _with_ "security interference". :-) But I also don't like to see process for the sake of _process_. I'm fine with intelligently applied ad hoc processes, if that's not too much of a contradiction in terms. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Software process improvement produces secure software?
A simple way to understand why implementing software development process improvement will not necessarily produce secure software is to read the Common Criteria. yes, I know that it's opaque and hard to understand, but once you have gone through the process of writing a Protection Profile for an implementation independent information technology application, it becomes a lot clearer why simply having a good software development process does not imply secure software. which is why I make all my students write a protection profile on a topic that I pick (the latest ones centered around computer forensics tools) On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote: > Dear list members. > > In june 2007, I had an interesting conversation with > Mr. Will Hayes from SEI during the Brazilian Symposium > on Software Quality. It was a great experience and I > am very grateful for this. > > During our conversation, I made a question to Mr. > Hayes similar to this: "Is it possible that only > software development process improvements can produce > secure software?" > > The scenario was only based on CMMI without security > interference. > > His answer to this question was "YES". My answer was > "I DO NOT THINK SO". > > His answer made me confuse and I had no arguments, > mainly, because my professional experience in software > process does not compare to Mr. Haye's experience. > > Unfortunately, I also haven't found any statistics > which could answer this question. Please, if there is > one, let me know! > > So, how about you, list members? What are your answers > to the question above? > > I will try to organize your answers and present the > final result. > > Thank you. > > Yours faithfully, > Francisco José Barreto Nunes. > > > Alertas do Yahoo! Mail em seu celular. Saiba mais em > http://br.mobile.yahoo.com/mailalertas/ > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC > (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > Julie J.C.H. Ryan, D.Sc. Assistant Professor Engineering Management and System Engineering George Washington University An NSA certified Center of Academic Excellence in Information Assurance Education http://www.seas.gwu.edu/~jjchryan/ http://www.seas.gwu.edu/~infosec/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Software process improvement produces secure software?
I've always had a question about this as well; specifically, what is really meant by "adding security to a CMM"? I've always felt that the level at which the software (or system) process is defined by a CMM is too high and too abstract for the addition of security activities to be particularly meaningful. My feeling is that a CMM is best used as a means of ensuring that the more detailed life cycle process is implemented in a disciplined manner, and that the amount of benefit, in terms of improvement of whatever property one is trying to improve - quality, reliability, security, safety - of the system/software that results from the process can be measured. Where the actual security activities need to be defined and added are to the life cycle methodology. At best, adding security to a CMM can provide a very high level framework for helping someone who is "shopping" for a life cycle methodology know what to look for in that methodology. Is a CMM necessary for that purpose? I'm not convinced that it is. I think what is likely to be more effective is a change in outlook by the practitioners who will be using the life cycle methodology. Their outlook needs to change so that a single question is asked before any choice or decision is made: What are the security implications of the choice/decision? Of course, there's much more to it than just asking that question. And that's the reason we need to train developers, testers, etc. to (1) understand what "security" means, both at the software and system levels; (2) visualise and recognise the possible impact(s) each of their choices/decisions could have on the security of the system they are building (before the fact); (3) recognise the impacts each of their choices/decisions has had on the security of the system they have built (after the fact). Tools and techniques to help developers do the second and third of these are proliferating (e.g., threat modeling, attack trees, etc. for before-the-fact; analysis and testing tools for after-the-fact). But in the end, I believe the #1 factor that will contribute to the increased security of software is the developer's mentality. A security-aware...and more importantly, a security-*concerned&...developer is more likely to (1) avoid making bad choices and decisions, and (2) to take an interest in, and pursue becoming, knowledgeable enough to correct bad choices that he/she did not avoid making earlier. -- Karen Mercedes Goertzel, CISSP Booz Allen Hamilton 703.902.6981 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] on behalf of Francisco Nunes Sent: Tue 07-Aug-07 07:01 To: sc-l@securecoding.org Subject: [SC-L] Software process improvement produces secure software? Dear list members. In june 2007, I had an interesting conversation with Mr. Will Hayes from SEI during the Brazilian Symposium on Software Quality. It was a great experience and I am very grateful for this. During our conversation, I made a question to Mr. Hayes similar to this: "Is it possible that only software development process improvements can produce secure software?" The scenario was only based on CMMI without security interference. His answer to this question was "YES". My answer was "I DO NOT THINK SO". His answer made me confuse and I had no arguments, mainly, because my professional experience in software process does not compare to Mr. Haye's experience. Unfortunately, I also haven't found any statistics which could answer this question. Please, if there is one, let me know! So, how about you, list members? What are your answers to the question above? I will try to organize your answers and present the final result. Thank you. Yours faithfully, Francisco José Barreto Nunes. Alertas do Yahoo! Mail em seu celular. Saiba mais em http://br.mobile.yahoo.com/mailalertas/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___