A simple way to understand why implementing software development process improvement will not necessarily produce secure software is to read the Common Criteria.
yes, I know that it's opaque and hard to understand, but once you have gone through the process of writing a Protection Profile for an implementation independent information technology application, it becomes a lot clearer why simply having a good software development process does not imply secure software. which is why I make all my students write a protection profile on a topic that I pick (the latest ones centered around computer forensics tools) On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote: > Dear list members. > > In june 2007, I had an interesting conversation with > Mr. Will Hayes from SEI during the Brazilian Symposium > on Software Quality. It was a great experience and I > am very grateful for this. > > During our conversation, I made a question to Mr. > Hayes similar to this: "Is it possible that only > software development process improvements can produce > secure software?" > > The scenario was only based on CMMI without security > interference. > > His answer to this question was "YES". My answer was > "I DO NOT THINK SO". > > His answer made me confuse and I had no arguments, > mainly, because my professional experience in software > process does not compare to Mr. Haye's experience. > > Unfortunately, I also haven't found any statistics > which could answer this question. Please, if there is > one, let me know! > > So, how about you, list members? What are your answers > to the question above? > > I will try to organize your answers and present the > final result. > > Thank you. > > Yours faithfully, > Francisco José Barreto Nunes. > > > Alertas do Yahoo! Mail em seu celular. Saiba mais em > http://br.mobile.yahoo.com/mailalertas/ > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC > (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > Julie J.C.H. Ryan, D.Sc. Assistant Professor Engineering Management and System Engineering George Washington University An NSA certified Center of Academic Excellence in Information Assurance Education http://www.seas.gwu.edu/~jjchryan/ http://www.seas.gwu.edu/~infosec/ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________