Home page logo

webappsec logo WebApp Sec mailing list archives

secure software engineering methodology - aftermath
From: Mads Rasmussen <mads () opencs com br>
Date: Fri, 02 Apr 2004 08:26:49 -0300

Thanks to all who responded to my question on methodologies used in
security projects.

To sum up, some work is going on in that area. There seems to have been
a fear of joining known methodologies with security aspects due to fear
of hard critism.

However some authors have overcome that fear

John Viega is doing a security plug-in for RUP and Gunnar Peterson is
doing a book where he lists several methods to be used in the analysis phase of a project without referering specifically to RUP, XP or others.

Other books and approaches were presented to me. Some prefer using part
two of Common Criteria to evaluate risks in the project design phase.
Some love the unittests of XP, some hate them, some say RUP is overkill
for security projects, some say it can be costumized really well to
serve well including risk analysis in the elaboration phase.
There is alot of oppinions out there, each person has his own experience in this matters and thus thinks accordingly. So there's no answers, there is no "best practices", ofcause methodologies have always had a point of interpretation, but something more specific than what is available today would come in handy.

It would be nice with more discussions on these subjects, there's the
Rational conference where Viega will present his plug-in, but there
should be a specific forum for a securty methodology, after all it's too important to leave up to each one to make up his own ideas and approach as is common practice as of now (according to the comments from the list at least). Maybe there is such a forum? If yes, could someone please enlighten me?

There is some security methodologies available developed by AT&T and DoD, but they are not publicly available, not to a non-american anyway.

I would still appreciate someone sending me a copy of "Trusted Software
Development Methodology", published by the Department of Defense
Strategic Defense Initiative Organization. The document number is
SDI-S-SD-91-000007, dated 17 June 1992 (two volumes).

A Gabriel Sjoberg responded that he had a copy, but he seems to have

I am still open for comments on these matters.....


Mads Rasmussen
Security Consultant
Open Communications Security
+55 11 3345 2525

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]