Home page logo

webappsec logo WebApp Sec mailing list archives

RE: Corsaire White Paper: Secure Development Framework
From: "Flanagan, Kevin" <Kevin.Flanagan () bmwfs com>
Date: Tue, 25 May 2004 16:05:43 -0400

This is a fairly well-written high-level review of the software design
process.  It leaves out details on introducing security into the business
requirements process.  

Even though security is predominantly a non-functional requirement,  I feel
that if you are going to ask a development team to design, build, and test
something, you should have some fairly specific  requirements around how you
expect that application to behave.  This is even more important if you are
going to be outsourcing development.  I feel you can save a lot of confusion
if you can articulate security requirements for an application before the
design even starts.  

With that said, does anyone have any good references for building good
non-functional security requirements for applications (both web and
desktop).  I guess a lot of this can be covered in terms of application
development standards that go across any application development, but has
anyone successfully implemented security controls (standards, guidelines,
etc.) around the requirements process?


-----Original Message-----
From: Glyn Geoghegan [mailto:glyng () corsaire com] 
Sent: Tuesday, May 25, 2004 2:30 AM
To: webappsec () securityfocus com
Subject: Corsaire White Paper: Secure Development Framework

Hi all,

Corsaire's latest paper on strategies for produce secure web-applications is
now available at:


This white paper deals with developing a secure framework, both for internal
and outsourced development.  Within this context, secure development is
considered to be the process of producing reliable, stable, bug and
vulnerability free software.  This paper focuses on why a secure development
framework is needed, touches on its benefits and provides an overview of how
organisations can implement such strategies successfully.  A simple software
development model is used as an example in the paper, but the theories are
expected to be developed and adapted to suit the specific methodologies and
goals of any environment.


Glyn Geoghegan
+44 (0) 1483 226000

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]