mailing list archives
secure software engineering methodology - aftermath
From: Mads Rasmussen <mads () opencs com br>
Date: Fri, 02 Apr 2004 08:26:49 -0300
Thanks to all who responded to my question on methodologies used in
To sum up, some work is going on in that area. There seems to have been
a fear of joining known methodologies with security aspects due to fear
of hard critism.
However some authors have overcome that fear
John Viega is doing a security plug-in for RUP and Gunnar Peterson is
doing a book where he lists several methods to be used in the analysis
phase of a project without referering specifically to RUP, XP or others.
Other books and approaches were presented to me. Some prefer using part
two of Common Criteria to evaluate risks in the project design phase.
Some love the unittests of XP, some hate them, some say RUP is overkill
for security projects, some say it can be costumized really well to
serve well including risk analysis in the elaboration phase.
There is alot of oppinions out there, each person has his own experience
in this matters and thus thinks accordingly.
So there's no answers, there is no "best practices", ofcause
methodologies have always had a point of interpretation, but something
more specific than what is available today would come in handy.
It would be nice with more discussions on these subjects, there's the
Rational conference where Viega will present his plug-in, but there
should be a specific forum for a securty methodology, after all it's too
important to leave up to each one to make up his own ideas and approach
as is common practice as of now (according to the comments from the list
at least). Maybe there is such a forum? If yes, could someone please
There is some security methodologies available developed by AT&T and
DoD, but they are not publicly available, not to a non-american anyway.
I would still appreciate someone sending me a copy of "Trusted Software
Development Methodology", published by the Department of Defense
Strategic Defense Initiative Organization. The document number is
SDI-S-SD-91-000007, dated 17 June 1992 (two volumes).
A Gabriel Sjoberg responded that he had a copy, but he seems to have
I am still open for comments on these matters.....
Open Communications Security
+55 11 3345 2525
- secure software engineering methodology - aftermath Mads Rasmussen (Apr 02)