Home page logo

webappsec logo WebApp Sec mailing list archives

RE: Corsaire White Paper: Secure Development Framework
From: "Glyn Geoghegan" <glyng () corsaire com>
Date: Wed, 26 May 2004 17:35:36 +1000

Thanks Kevin.

This paper has focussed much more on security interaction with the
development process, but as you rightly mention, security should be
considered during the business requirements stage too.  

Security knowledge-share with the development team during the workshops and
other early phases provides a good opportunity to instil the right security
concerns in the team, and to ensure the functional requirements are properly
defined and understood.

It would be very interesting to get feedback from those already engaging in
a multi-phased approach to secure development, or to see how this kind of
strategy would be implemented in a more complex development life-cycle that
the good old waterfall model.


-----Original Message-----
From: Flanagan, Kevin [mailto:Kevin.Flanagan () bmwfs com] 
Sent: 26 May 2004 06:06
To: 'Glyn Geoghegan'; webappsec () securityfocus com
Subject: RE: Corsaire White Paper: Secure Development Framework

This is a fairly well-written high-level review of the software design
process.  It leaves out details on introducing security into 
the business
requirements process.  

Even though security is predominantly a non-functional 
requirement,  I feel
that if you are going to ask a development team to design, 
build, and test
something, you should have some fairly specific  requirements 
around how you
expect that application to behave.  This is even more 
important if you are
going to be outsourcing development.  I feel you can save a 
lot of confusion
if you can articulate security requirements for an 
application before the
design even starts.  

With that said, does anyone have any good references for building good
non-functional security requirements for applications (both web and
desktop).  I guess a lot of this can be covered in terms of 
development standards that go across any application 
development, but has
anyone successfully implemented security controls (standards, 
etc.) around the requirements process?


-----Original Message-----
From: Glyn Geoghegan [mailto:glyng () corsaire com] 
Sent: Tuesday, May 25, 2004 2:30 AM
To: webappsec () securityfocus com
Subject: Corsaire White Paper: Secure Development Framework

Hi all,

Corsaire's latest paper on strategies for produce secure 
web-applications is
now available at:


This white paper deals with developing a secure framework, 
both for internal
and outsourced development.  Within this context, secure 
development is
considered to be the process of producing reliable, stable, bug and
vulnerability free software.  This paper focuses on why a 
secure development
framework is needed, touches on its benefits and provides an 
overview of how
organisations can implement such strategies successfully.  A 
simple software
development model is used as an example in the paper, but the 
theories are
expected to be developed and adapted to suit the specific 
methodologies and
goals of any environment.


Glyn Geoghegan
+44 (0) 1483 226000

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]