Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: secure software engineering methodology - aftermath

secure software engineering methodology - aftermath

From: Mads Rasmussen <mads_at_opencs.com.br>
Date: Fri, 02 Apr 2004 08:26:49 -0300

Thanks to all who responded to my question on methodologies used in
security projects.

To sum up, some work is going on in that area. There seems to have been
a fear of joining known methodologies with security aspects due to fear
of hard critism.

However some authors have overcome that fear

John Viega is doing a security plug-in for RUP and Gunnar Peterson is
doing a book where he lists several methods to be used in the analysis
phase of a project without referering specifically to RUP, XP or others.

Other books and approaches were presented to me. Some prefer using part
two of Common Criteria to evaluate risks in the project design phase.
Some love the unittests of XP, some hate them, some say RUP is overkill
for security projects, some say it can be costumized really well to
serve well including risk analysis in the elaboration phase.
There is alot of oppinions out there, each person has his own experience
in this matters and thus thinks accordingly.
So there's no answers, there is no "best practices", ofcause
methodologies have always had a point of interpretation, but something
more specific than what is available today would come in handy.

It would be nice with more discussions on these subjects, there's the
Rational conference where Viega will present his plug-in, but there
should be a specific forum for a securty methodology, after all it's too
important to leave up to each one to make up his own ideas and approach
as is common practice as of now (according to the comments from the list
at least). Maybe there is such a forum? If yes, could someone please
enlighten me?

There is some security methodologies available developed by AT&T and
DoD, but they are not publicly available, not to a non-american anyway.

I would still appreciate someone sending me a copy of "Trusted Software
Development Methodology", published by the Department of Defense
Strategic Defense Initiative Organization. The document number is
SDI-S-SD-91-000007, dated 17 June 1992 (two volumes).

A Gabriel Sjoberg responded that he had a copy, but he seems to have
vanished.

I am still open for comments on these matters.....

Regards,

Mads Rasmussen
Security Consultant
Open Communications Security
+55 11 3345 2525
Received on Apr 02 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]