funsec mailing list archives
Re: standards for security in software
From: Jon Kibler <Jon.Kibler () aset com>
Date: Tue, 07 Apr 2009 23:17:41 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Larry Seltzer wrote:
Below is the section of S.773 mandating that NIST establish ?measurable and auditable cybersecurity standards? for systems and networks. Do standards along these lines exist already? I guess I?d be surprised if nothing like this exists, but the only ones I?m aware of don?t have a lot of real world-relevance, like C1 and B certifiability. Some of it is already in place or at least being worked on, like the standard configurations (see http://www.eweek.com/c/a/Security/Standardizing-the-Federal-Desktop/) or the vulnerability specification stuff. Do others think the other elements and the big picture of this is practical? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com <mailto:larry.seltzer () ziffdavisenterprise com>
Larry, All standards with which I am familiar, and I think I have a good grasp of what is out there, have to do with: 1) Hardening systems and networks 2) Policy and Processes 3) Best Practices I am not familiar with anything that addresses software development security per se. As I recall, even IEEE/ISO 12207, which replaced the old MilStd-498, does not address software security processes. I think that spending money to specify the best practices for software security and developing secure software is a great place to put our tax dollars. It will be money well spent. Jon - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 (NEW!) s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkncF1UACgkQUVxQRc85QlN1DACfc/e8uxz7wc8u2podQ6Fm1O5O cnwAnjR72u66DoR97fKuyG5qEodvKsMZ =tk/n -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- standards for security in software Larry Seltzer (Apr 07)
- Re: standards for security in software Jon Kibler (Apr 07)
- Re: standards for security in software Donal (Apr 07)
- Re: standards for security in software Jon Kibler (Apr 07)