-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Software security can be tricky when it comes to requirements, >mostly because customers and consumers don't explicitly demand security, rather they impicitly expect it.
Wait a second here, don't customers also implicitly expect that the software is going to run? I mean I haven't seen a requirements document _ever_ that has said "The software must start.". They just implicitly expect that its going to do that. Doesn't seem like a big surprise that most customers will _expect_ that "Hey, I don't want this software pwnable after you're done with it." Not sure where the trickiness you are referring to comes from? JS ps. Didn't AW publish your book(s)? :) I would be real surprised [turning on Tom Ptaceks snarky bit] if there's any mention of them. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHF9LQKEj7ZJktQNsRAj7XAJ4n02GXp1VIBXSqRYhOhk3oLQDVDgCeNZ8X MpcLEq7QUXtk8ENmGb2TqaQ= =Sdb7 -----END PGP SIGNATURE----- _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________