On Oct 12, 2006, at 4:32 PM, Gary McGraw wrote:
I suppose now is as good a time as any to say that everything david is talking about here is described in great detail in the HOW TO book that I released last february. If you're reading this list, you really should read that book. It's called "software security".Ken and I have trained thousands of developers using the book as a guide with some success. Cigital has a number of very large-scale software security initiatives underway at various customers that leverage that training. But more importantly, good programs instill and measure the kinds of best practices (called touchpoints in the book) that are certainly not part of standard good coding practice.
Presuming you meant "now part of..." and not "not part of..."In any case, another great source of information on the touchpoint processes in Gary's book is the DHS-sponsored Build Security In portal at http://BuildSecurityIn.us-cert.gov. It's still a work in progress, but there are a bunch of in-depth articles explaining all of Gary's touchpoint activities and such. Plus, several new articles will be appearing there over the next few months, so keep checking in for updates. The site is free and open to the public. (Full disclosure: as one of the BSI authors, I'm certainly not unbiased, but I still believe it's a valuable resource for those who are interested in learning more about the touchpoints Gary cited.)
Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ Secure Coding mailing list (SC-L) [email protected] List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
