Secure programming is NOT just good programming

[ken at krvw.com (Kenneth Van Wyk)]

On Oct 12, 2006, at 4:32 PM, Gary McGraw wrote:
> I suppose now is as good a time as any to say that everything david  
> is talking about here is described in great detail in the HOW TO  
> book that I released last february.   If you're reading this list,  
> you really should read that book.  It's called "software security".
>
> Ken and I have trained thousands of developers using the book as a  
> guide with some success.  Cigital has a number of very large-scale  
> software security initiatives underway at various customers that  
> leverage that training.  But more importantly, good programs  
> instill and measure the kinds of best practices (called touchpoints  
> in the book) that are certainly not part of standard good coding  
> practice.

Presuming you meant "now part of..." and not "not part of..."

In any case, another great source of information on the touchpoint  
processes in Gary's book is the DHS-sponsored Build Security In  
portal at http://BuildSecurityIn.us-cert.gov.  It's still a work in  
progress, but there are a bunch of in-depth articles explaining all  
of Gary's touchpoint activities and such.  Plus, several new articles  
will be appearing there over the next few months, so keep checking in  
for updates.  The site is free and open to the public.  (Full  
disclosure: as one of the BSI authors, I'm certainly not unbiased,  
but I still believe it's a valuable resource for those who are  
interested in learning more about the touchpoints Gary cited.)

Cheers,

Ken
-----
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com




-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://krvw.com/pipermail/sc-l/attachments/20061012/03ac81d7/attachment-0001.bin