Re: Software security specifications

["i.matilde () gmail com" <i.matilde () gmail com>]

The objective of the policy is to give a list of general security
considerations while designing the software, it could make a
distinction between web and client/server applications, there will be
lower level documents that will go into specific technology
implementations like .net or j2ee, pointing to security best practices
released by the vendors, there will also be a section regarding
architecture specific considerations, one example is user profiling
for web applications, we are currently designing a centralized
directory service, the policy will recommend that where possible, for
user profiling you must use this system... it will also give some
advice on stuff like data design, example is separating the data that
is used just by the application from the actual data that is
sensitive, and requires a higher level of protection.

Thanks Shawn


On Mon, 21 Feb 2005 23:04:38 -0800 (PST), udayan pathak
<udayan_pathak () yahoo com> wrote:
> Hi Shawn
>
> Could you be a bit more specific about your question.
>
> The applications being developed are they big enough
> to involve concepts of Enterprise architecture?
>
> The policy you are trying to develop is that a high
> level policy or a more hands-on lower level policy
> specific to the apllication?
>
> Udayan
>
> --- "i.matilde () gmail com" <i.matilde () gmail com> wrote:
>
> > I need to develop a policy that will list security
> > requirements for
> > new applications developed internally or by
> > contractors, general
> > specifications like validate input ecc...., I am
> > looking for some good
> > resources on the subject, any recommendations?
> >
> > Best Regards,
> >
> > Shawn
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com