WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: secure software engineering methodology

From: Mads Rasmussen <mads () opencs com br>
Date: Tue, 23 Mar 2004 08:10:19 -0300
Alex Russell wrote:

If you read the book "building secure software" by John Viega and
Gary McGraw it says that extreme programming isn't good for
security projects.
I would agree with that assessment. In fact, I would go so far as to say that there are only a small subset of projects for which many of the XP concepts are helpful or applicable. These projects tend to share ALL the following criteria: 
        - tightly defined or defineable goal
        - no scope drift
        - low risk tollerance
        - high time-to-market pressure
        - static project resources
        - established product or market
I actually like the unit test part of XP, but you could argue that it should be part of any methodology. 


I was considering applying RUP, the Rational Unified Process, but I
think that it must be customized to consider security aspects.
Given my experience with RUP inside organizations of varying size, I'm going to further extend my body onto a shaky limb and assert that no one really uses it. The furthest most organizations go is to use the templates that Rational/IBM produces, but that's about it. RUP (IMO) is more about saying that you're following a methodology and being able to use a trendier phrase than "source control" for marketing purposes.
I have heard a lot of companies doing just that, telling to the outside that they are following RUP as a marketing buzz. RUP tends to focus more on the architectural part of the system so it could help think some things through. What often happens though is that the architecture of the system isn't discussed with actually programmers and security experts, resulting in problems later on.
Of course, I would love to be wrong about this. Anyone actually _using_ the WHOLE RUP process?
Actually I learned from John Viega that he is doing a security plugin for RUP. I don't have more information than that so I don't know what he actually is doing. We'll just have to wait and see.
I agree with your comments on CC, I dragged it in to start a discussion, I believe its to heavy weighted to be of real use, although many people tend to consult it at some times in the process. 

Mads
Previous By Date Next
Previous By Thread Next

Current thread: