Home page logo
/

basics logo Security Basics mailing list archives

Re: Secure Software Development Checklist
From: Erin Carroll <amoeba () amoebazone com>
Date: Thu, 1 Nov 2007 20:17:45 +0000 (UTC)


There are many different SDLC processes out there. RUP, Agile, Extreme, the various DoJ processes... The Wikipedia entry for SDLC is actually useful (!) as a starting point from a process perspective.

Tools-wise there are also some avenues to look into: Mercury, DevInspect/QAInspect from SPI Dynamics (now HP), FxCop, and others.

This is one of those seemingly simple questions with a bazillion correct answers... depending on your particulars :)

Since this is a PCI-driven initiative, talk with your auditors to get their specific requirements and then tailor your SDLC process to meet their requirements while also making sure you don't cause a revolt at the dev level with onerous processes :0

--
Erin Carroll
Moderator, SecurityFocus pen-test list


On Thu, 1 Nov 2007, mikef () everfast com wrote:

Because I'm the resident security expert, I've been tasked with helping our developers ensure new applications meet industry standard (particularly PCI) security requirements. I'm thinking about doing some sort of checklist that could be used to verify the particular requirements are met during the development phase, but I'm not sure where to start.=20

Most of the secure coding information relates to web applications, however I need to develop rules for a variety of applications ranging from web to DOS (yes that's Ms-DOS) to point of sale. Also could the checklist be used for a variety programming languages.=



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]