Re: secure software engineering methodology

[Alex Russell <alex () netWindows org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 22 March 2004 5:37 am, Mads Rasmussen wrote:
> Do any of you have any experience with methodologies for software
> engineering of secure software?
>
> If you read the book "building secure software" by John Viega and
> Gary McGraw it says that extreme programming isn't good for
> security projects.

I would agree with that assessment. In fact, I would go so far as to 
say that there are only a small subset of projects for which many of 
the XP concepts are helpful or applicable. These projects tend to 
share ALL the following criteria:
        - tightly defined or defineable goal
        - no scope drift
        - low risk tollerance
        - high time-to-market pressure
        - static project resources
        - established product or market

> I was considering applying RUP, the Rational Unified Process, but I
> think that it must be customized to consider security aspects.

Given my experience with RUP inside organizations of varying size, I'm 
going to further extend my body onto a shaky limb and assert that no 
one really uses it. The furthest most organizations go is to use the 
templates that Rational/IBM produces, but that's about it. RUP (IMO) 
is more about saying that you're following a methodology and being 
able to use a trendier phrase than "source control" for marketing 
purposes.

Of course, I would love to be wrong about this. Anyone actually 
_using_ the WHOLE RUP process?

> If you search papers by Matt Bishop [1], Edward Amoroso [2] and
> several others you will only find bits and pieces. Non of them
> refer to a specific methodology, some tries to fit the Common
> Criteria [3] into the development process.

Common Criteria is backward-looking and does not make demands about 
design or process, only that you have both and that you be able to 
tell someone else what they are and demonstrate that you followed 
them and that you were supposed to hit those targets in the first 
place. It's like the iso9001 of software: you agree to tell someone 
exactly what you're doing and what's wrong with it, proove it, and 
then never change it. Therefore mapping to it is a documentation 
exercise. 

This is, of course, a gross over-simplification and premature 
dismissal of CC, but it'll do for this discussion.

Regards

- -- 
Alex Russell
alex () burstlib org   BD10 7AFC 87F6 63F9 1691 83FA 9884 3A15 AFC9 61B7
alex () netWindows org F687 1964 1EF6 453E 9BD0 5148 A15D 1D43 AB92 9A46
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFAX5ZGoV0dQ6uSmkYRAmRsAJ4sND6Fgag/QQiUOiJUjKgIG7C1qQCcD7bi
VwTqpjRlrkfnQJLdftq5omM=
=QxSX
-----END PGP SIGNATURE-----