WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Secure software development documents

From: roger.smith () calyonfinancial com
Date: Mon, 26 Jul 2004 09:29:12 -0500




Good subjects.....but I'm not sure what subject you're inquiring about.....

The security of the finished app?
The security of the process of developing apps?

For the finished app I can recommend a "risk based" approach:

An analysis should occur at the outset during project definition to
determine the stakes of the application in terms of these security
concerns:
   Availability of information
   Confidentiality of information
   Integrity of information
   Proof or Audit trail of information management events (who changed what
   and when)


From knowing the stakes the analysts can pose scenarios that would affect

ACIP.
IT and business management can propose measures to mitigate those risks.
   They may be technical or operational -
      Technical - RAID, data validation, authentication, encryption etc.
      Operational - Double signature procedures, human checks and balances
      etc.

The business owner (the group that lives and dies on the apps) will have to
negotiate with IT on what technical measures can be employed based on
budget and resources etc..
The mitigating measures chosen should become part of the specification of
work.

The implementation of these measures will be tested and signed off just as
any other part of the app development specs would be.

This risk based approach requires a cultural acceptance in the
organization.  I have found that cultures averse to such an approach prefer
things fast and loose and believe they can live with less quality in their
final product.  My motto "Go slower to go faster".  From the aged craftsman
that taught me - "Measure twice; cut once".

There are resources on the internet that speak to Risk Based Security
models.  I have proposed here a small out-take of one such program I have
had good results with.

For the process of developing apps?  Look into "Expert Programming
Methodology".  That methodology is truly centered on - Go slower to go
faster.




Roger Smith




                                                                           
             udayan pathak                                                 
             <udayan_pathak@ya                                             
             hoo.com>                                                   To 
                                       webappsec () securityfocus com,        
             07/26/2004 06:18          secprog () securityfocus com           
             AM                                                         cc 
                                                                           
                                                                   Subject 
                                       Secure software development         
                                       documents                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi everyone

I have a query!


What are the documentation standards being followed as
far as secure software development is concerned? I
find that in the current software development process
the document generated do not/ barely cover the
security of the application being developed.

All the normal documents for requirement
specification, requirement tracking, high level and
low level design documents etc have nothing more than
a small section in their template format for security,
which looks more like a formality and hardly serves
the purpose.

Especially as far a software testing is concerned one
gets the feeling that the provision for security
testing in test cases gets diluted in the sea of
functionality testing.

Has anyone got any insights into this? or any other
standard being followed ?

Please let me know



Udayan Pathak




__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail



DISCLAIMER:
This communication may contain privileged and/or confidential
information and is intended only for the use of the individual or
entity to whom it is addressed.  No waiver of confidentiality or
privilege is made by mistransmission.  If the reader of this
message is not the intended recipient, you are hereby notified
that any unauthorized dissemination, distribution,  reading,
printing, copying and/or use of this communication is strictly
prohibited. If you have received this communication in error,
please immediately notify the sender by return e-mail and delete
this message from your system as well as destroy any paper
copies made.  Calyon Financial makes no representation or
warranty regarding the correctness of any information contained
herein, or the appropriateness of any transaction for any person.
Nothing herein shall be construed as a recommendation to buy or
sell any financial instrument or security.
Previous By Date Next
Previous By Thread Next

Current thread: