Ten Commandments for Software Security

[Gary McGraw <gem () cigital com>]

hi sc-l,

You all know by now that the BSIMM is a descriptive model and not a prescriptive one.  But at Cigital we're happy to 
give prescriptive advice about software security based on our experience as well.  Without further ado, the ten 
commandments for software security:

0. Thou shalt lead thy software security initiative (SSI) with a software security group (SSG).
1. Thou shalt rely on risk management and objective measurement using the BSIMM—not “top ten lists” and vulnerability 
counts—to define SSI success.
2. Thou shalt communicate with executives, directly linking SSI success to business value and comparing thy firm 
against its peers.
3. Thou shalt create and adopt an SSDL methodology like the Microsoft SDL or the Cigital Touchpoints that integrates 
security controls (including architecture risk analysis, code review, and penetration testing) and people smarter about 
software security than the tools they run.
4. Thou shalt not limit software security activity to only technical SDLC activities and especially not to penetration 
testing alone.
5. Thou shalt grow and nurture software security professionals for thy SSG (since there are not enough qualified people 
to go around).
6. Thou shalt consume direction from the business and intelligence from operations and incident response staff, and 
adjust SSI controls accordingly.
7. Thou shalt track thy data carefully and know where the data live regardless of how cloudy thy architecture gets.
8. Thou shalt not rely solely on security features and functions to build secure software as security is an emergent 
property of the entire system and thus relies on building and integrating all parts properly.
9. Thou shalt fix thy identified software defects: both bugs and flaws.

Read more in this month's [in]security column on SearchSecurity: 
http://searchsecurity.techtarget.com/news/2240164512/Ten-commandments-for-software-security

We welcome your reaction.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________