Re: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers
Agreed, but can you make secure code without thinking about security at all? I don't think so - it's a bit like the safety vs. security debate; in the latter case the human attacker with hostile intent tends to invalidate your assumptions... -Martin Den 07.03.2012 22:27, skrev James Manico: Karen is of course right. At the very least, high quality source code design and software is a lot easier to assess and secure than the alternative. -- Jim Manico VP, Security Architecture WhiteHat Security (808) 652-3805 On Mar 7, 2012, at 4:09 PM, "Goertzel, Karen [USA]" mailto:goertzel_ka...@bah.com>> wrote: Unfortunately, it seems like the SWEBOK folks still believe that if you have high-quality software, that will be sufficient to assure robustness against intentional threats. It also shows a touching lack of faith that there will never be an malicious participant in the SDLC intentionally sabotaging or subverting the code, test results, etc. === Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com <mailto:goertzel_ka...@bah.com> "I love deadlines. I like the whooshing sound they make as they fly by." - Douglas Adams *From:* sc-l-boun...@securecoding.org <mailto:sc-l-boun...@securecoding.org> [sc-l-boun...@securecoding.org <mailto:sc-l-boun...@securecoding.org>] on behalf of Martin Gilje Jaatun [secse-ch...@sislab.no <mailto:secse-ch...@sislab.no>] *Sent:* 05 March 2012 07:02 *To:* Secure Coding *Subject:* [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers Hi SC-L, I would have hoped that "Software Security" should have been a topic area in SWEBOK, right alongside "Software Quality", but it doesn't look like it... -Martin Opprinnelig melding Emne: [SEWORLD] SWEBOK Version 3 Call for Reviewers Dato: Fri, 2 Mar 2012 10:53:26 -0700 Fra:Dick Fairley Til:sewo...@sigsoft.org *Call for Reviewers of Three New Knowledge Area Descriptions for the* *Guide to the Software Engineering Body of Knowledge* The IEEE Computer Society is now soliciting public review comments on three knowledge areas (KAs) for Version 3 of the Guide to the Software Engineering Body of Knowledge (SWEBOK V3). SWEBOK V3 is an update to the 2004 version of the SWEBOK Guide, which is also known as Technical Report ISO/IEC TR 19759. The 15 KAs in SWEBOK V3 are being published incrementally as they become available for review. The purposes of the SWEBOK Guide are: to characterize the contents of the software engineering discipline; to promote a consistent view of software engineering worldwide; to clarify the place of, and set the boundary of software engineering with respect to other disciplines; to provide a foundation for training materials and curriculum development; and to provide a basis for certification and licensing of software engineers. Three new KAs are now available for review (Software Engineering Methods and Models; Software Maintenance; and Mathematical Foundations). These KAs can be reviewed and comments can be submitted at: computer.centraldesktop.com/swebokv3review/ <http://computer.centraldesktop.com/swebokv3review/> The review period for these KAs extends from March 2 to March 31, 2012. Three of the SWEBOK V3 KAs (Computing Foundations, Software Construction, and Software Configuration Management) have been reviewed and the review period is closed; the KA editors are resolving the public review comments. Resolution of submitted comments for all KAs will be displayed on the SWEBOK V3 Web site as they become available. All review comments, as well the names and countries of the reviewers providing the comments, will be made public. Email addresses, affiliations, and other identifying information of reviewers will not be made public. Present and potential reviewers will be notified when additional KAs become available for review. Each KA, when posted, will be available for review for 30 calendar days from the date of posting. For further information or help please contact Dick Fairley, chair of the SWEBOK V3 Change Control Board atd.fair...@computer.org. To contribute to SEWORLD, send your submission to mailto:sewo...@sigsoft.org http://www.sigsoft.org/seworld provides more information on SEWORLD as well as a complete archive of messages posted to the list. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org <mailto:SC-L@securecoding.org> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.c
Re: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers
Karen is of course right. At the very least, high quality source code design and software is a lot easier to assess and secure than the alternative. -- Jim Manico VP, Security Architecture WhiteHat Security (808) 652-3805 On Mar 7, 2012, at 4:09 PM, "Goertzel, Karen [USA]" wrote: Unfortunately, it seems like the SWEBOK folks still believe that if you have high-quality software, that will be sufficient to assure robustness against intentional threats. It also shows a touching lack of faith that there will never be an malicious participant in the SDLC intentionally sabotaging or subverting the code, test results, etc. === Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com "I love deadlines. I like the whooshing sound they make as they fly by." - Douglas Adams -- *From:* sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] on behalf of Martin Gilje Jaatun [secse-ch...@sislab.no] *Sent:* 05 March 2012 07:02 *To:* Secure Coding *Subject:* [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers Hi SC-L, I would have hoped that "Software Security" should have been a topic area in SWEBOK, right alongside "Software Quality", but it doesn't look like it... -Martin Opprinnelig melding Emne: [SEWORLD] SWEBOK Version 3 Call for Reviewers Dato: Fri, 2 Mar 2012 10:53:26 -0700 Fra: Dick Fairley Til: sewo...@sigsoft.org *Call for Reviewers of Three New Knowledge Area Descriptions for the* *Guide to the Software Engineering Body of Knowledge* The IEEE Computer Society is now soliciting public review comments on three knowledge areas (KAs) for Version 3 of the Guide to the Software Engineering Body of Knowledge (SWEBOK V3). SWEBOK V3 is an update to the 2004 version of the SWEBOK Guide, which is also known as Technical Report ISO/IEC TR 19759. The 15 KAs in SWEBOK V3 are being published incrementally as they become available for review. The purposes of the SWEBOK Guide are: to characterize the contents of the software engineering discipline; to promote a consistent view of software engineering worldwide; to clarify the place of, and set the boundary of software engineering with respect to other disciplines; to provide a foundation for training materials and curriculum development; and to provide a basis for certification and licensing of software engineers. Three new KAs are now available for review (Software Engineering Methods and Models; Software Maintenance; and Mathematical Foundations). These KAs can be reviewed and comments can be submitted at: computer.centraldesktop.com/swebokv3review/ The review period for these KAs extends from March 2 to March 31, 2012. Three of the SWEBOK V3 KAs (Computing Foundations, Software Construction, and Software Configuration Management) have been reviewed and the review period is closed; the KA editors are resolving the public review comments. Resolution of submitted comments for all KAs will be displayed on the SWEBOK V3 Web site as they become available. All review comments, as well the names and countries of the reviewers providing the comments, will be made public. Email addresses, affiliations, and other identifying information of reviewers will not be made public. Present and potential reviewers will be notified when additional KAs become available for review. Each KA, when posted, will be available for review for 30 calendar days from the date of posting. For further information or help please contact Dick Fairley, chair of the SWEBOK V3 Change Control Board at d.fair...@computer.org. To contribute to SEWORLD, send your submission tomailto:sewo...@sigsoft.org http://www.sigsoft.org/seworld provides more information on SEWORLD as well as a complete archive of messages posted to the list. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers
Oops. I meant to say "touching faith" not "touching lack of faith". === Karen Mercedes Goertzel, CISSP From: "Goertzel, Karen [USA]" mailto:goertzel_ka...@bah.com>> Date: Wed, 7 Mar 2012 09:53:18 -0500 To: Martin Gilje Jaatun mailto:secse-ch...@sislab.no>>, Secure Code Mailing List mailto:SC-L@securecoding.org>> Subject: Re: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers Unfortunately, it seems like the SWEBOK folks still believe that if you have high-quality software, that will be sufficient to assure robustness against intentional threats. It also shows a touching lack of faith that there will never be an malicious participant in the SDLC intentionally sabotaging or subverting the code, test results, etc. === Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com<mailto:goertzel_ka...@bah.com> "I love deadlines. I like the whooshing sound they make as they fly by." - Douglas Adams From: sc-l-boun...@securecoding.org<mailto:sc-l-boun...@securecoding.org> [sc-l-boun...@securecoding.org<mailto:sc-l-boun...@securecoding.org>] on behalf of Martin Gilje Jaatun [secse-ch...@sislab.no<mailto:secse-ch...@sislab.no>] Sent: 05 March 2012 07:02 To: Secure Coding Subject: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers Hi SC-L, I would have hoped that "Software Security" should have been a topic area in SWEBOK, right alongside "Software Quality", but it doesn't look like it... -Martin Opprinnelig melding Emne: [SEWORLD] SWEBOK Version 3 Call for Reviewers Dato: Fri, 2 Mar 2012 10:53:26 -0700 Fra:Dick Fairley <mailto:dickfair...@gmail.com> Til:sewo...@sigsoft.org<mailto:sewo...@sigsoft.org> *Call for Reviewers of Three New Knowledge Area Descriptions for the* *Guide to the Software Engineering Body of Knowledge* The IEEE Computer Society is now soliciting public review comments on threeknowledge areas (KAs) for Version 3 of the Guide to the Software Engineering Body of Knowledge (SWEBOK V3). SWEBOK V3 is an update to the 2004 version of the SWEBOK Guide, which is also known as Technical Report ISO/IEC TR 19759. The 15 KAs in SWEBOK V3 are being published incrementally as they become available for review. The purposes of the SWEBOK Guide are: to characterize the contents of the software engineering discipline; to promote a consistent view of software engineering worldwide; to clarify the place of, and set the boundary of software engineering with respect to other disciplines; to provide a foundation for training materials and curriculum development; and to provide a basis for certification and licensing of software engineers. Three new KAs are now available for review (Software Engineering Methods and Models; Software Maintenance; and Mathematical Foundations). These KAs can be reviewed and comments can be submitted at: computer.centraldesktop.com/swebokv3review/ The review period for these KAs extends from March 2 to March 31, 2012. Three of the SWEBOK V3 KAs (Computing Foundations, Software Construction, and Software Configuration Management) have been reviewed and the review period is closed; the KA editors are resolving the public review comments. Resolution of submitted comments for all KAs will be displayed on the SWEBOK V3 Web site as they become available. All review comments, as well the names and countries of the reviewers providing the comments, will be made public. Email addresses, affiliations, and other identifying information of reviewers will not be made public. Present and potential reviewers will be notified when additional KAs becomeavailable for review. Each KA, when posted, will be available for review for 30 calendar days from the date of posting. For further information or help please contact Dick Fairley, chair of the SWEBOK V3 Change Control Board at d.fair...@computer.org<mailto:d.fair...@computer.org>. To contribute to SEWORLD, send your submission to mailto:seworld@sigsoft.orghttp://www.sigsoft.org/seworld provides more information on SEWORLD as well as a complete archive of messages posted to the list. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers
Karen is right. That is a legacy of Watts Humphrey. gem From: "Goertzel, Karen [USA]" mailto:goertzel_ka...@bah.com>> Date: Wed, 7 Mar 2012 09:53:18 -0500 To: Martin Gilje Jaatun mailto:secse-ch...@sislab.no>>, Secure Code Mailing List mailto:SC-L@securecoding.org>> Subject: Re: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers Unfortunately, it seems like the SWEBOK folks still believe that if you have high-quality software, that will be sufficient to assure robustness against intentional threats. It also shows a touching lack of faith that there will never be an malicious participant in the SDLC intentionally sabotaging or subverting the code, test results, etc. === Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com<mailto:goertzel_ka...@bah.com> "I love deadlines. I like the whooshing sound they make as they fly by." - Douglas Adams From: sc-l-boun...@securecoding.org<mailto:sc-l-boun...@securecoding.org> [sc-l-boun...@securecoding.org<mailto:sc-l-boun...@securecoding.org>] on behalf of Martin Gilje Jaatun [secse-ch...@sislab.no<mailto:secse-ch...@sislab.no>] Sent: 05 March 2012 07:02 To: Secure Coding Subject: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers Hi SC-L, I would have hoped that "Software Security" should have been a topic area in SWEBOK, right alongside "Software Quality", but it doesn't look like it... -Martin Opprinnelig melding Emne: [SEWORLD] SWEBOK Version 3 Call for Reviewers Dato: Fri, 2 Mar 2012 10:53:26 -0700 Fra:Dick Fairley <mailto:dickfair...@gmail.com> Til:sewo...@sigsoft.org<mailto:sewo...@sigsoft.org> *Call for Reviewers of Three New Knowledge Area Descriptions for the* *Guide to the Software Engineering Body of Knowledge* The IEEE Computer Society is now soliciting public review comments on threeknowledge areas (KAs) for Version 3 of the Guide to the Software Engineering Body of Knowledge (SWEBOK V3). SWEBOK V3 is an update to the 2004 version of the SWEBOK Guide, which is also known as Technical Report ISO/IEC TR 19759. The 15 KAs in SWEBOK V3 are being published incrementally as they become available for review. The purposes of the SWEBOK Guide are: to characterize the contents of the software engineering discipline; to promote a consistent view of software engineering worldwide; to clarify the place of, and set the boundary of software engineering with respect to other disciplines; to provide a foundation for training materials and curriculum development; and to provide a basis for certification and licensing of software engineers. Three new KAs are now available for review (Software Engineering Methods and Models; Software Maintenance; and Mathematical Foundations). These KAs can be reviewed and comments can be submitted at: computer.centraldesktop.com/swebokv3review/ The review period for these KAs extends from March 2 to March 31, 2012. Three of the SWEBOK V3 KAs (Computing Foundations, Software Construction, and Software Configuration Management) have been reviewed and the review period is closed; the KA editors are resolving the public review comments. Resolution of submitted comments for all KAs will be displayed on the SWEBOK V3 Web site as they become available. All review comments, as well the names and countries of the reviewers providing the comments, will be made public. Email addresses, affiliations, and other identifying information of reviewers will not be made public. Present and potential reviewers will be notified when additional KAs becomeavailable for review. Each KA, when posted, will be available for review for 30 calendar days from the date of posting. For further information or help please contact Dick Fairley, chair of the SWEBOK V3 Change Control Board at d.fair...@computer.org<mailto:d.fair...@computer.org>. To contribute to SEWORLD, send your submission to mailto:seworld@sigsoft.orghttp://www.sigsoft.org/seworld provides more information on SEWORLD as well as a complete archive of messages posted to the list. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers
Unfortunately, it seems like the SWEBOK folks still believe that if you have high-quality software, that will be sufficient to assure robustness against intentional threats. It also shows a touching lack of faith that there will never be an malicious participant in the SDLC intentionally sabotaging or subverting the code, test results, etc. === Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com "I love deadlines. I like the whooshing sound they make as they fly by." - Douglas Adams From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] on behalf of Martin Gilje Jaatun [secse-ch...@sislab.no] Sent: 05 March 2012 07:02 To: Secure Coding Subject: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers Hi SC-L, I would have hoped that "Software Security" should have been a topic area in SWEBOK, right alongside "Software Quality", but it doesn't look like it... -Martin Opprinnelig melding Emne: [SEWORLD] SWEBOK Version 3 Call for Reviewers Dato: Fri, 2 Mar 2012 10:53:26 -0700 Fra:Dick Fairley <mailto:dickfair...@gmail.com> Til:sewo...@sigsoft.org<mailto:sewo...@sigsoft.org> *Call for Reviewers of Three New Knowledge Area Descriptions for the* *Guide to the Software Engineering Body of Knowledge* The IEEE Computer Society is now soliciting public review comments on three knowledge areas (KAs) for Version 3 of the Guide to the Software Engineering Body of Knowledge (SWEBOK V3). SWEBOK V3 is an update to the 2004 version of the SWEBOK Guide, which is also known as Technical Report ISO/IEC TR 19759. The 15 KAs in SWEBOK V3 are being published incrementally as they become available for review. The purposes of the SWEBOK Guide are: to characterize the contents of the software engineering discipline; to promote a consistent view of software engineering worldwide; to clarify the place of, and set the boundary of software engineering with respect to other disciplines; to provide a foundation for training materials and curriculum development; and to provide a basis for certification and licensing of software engineers. Three new KAs are now available for review (Software Engineering Methods and Models; Software Maintenance; and Mathematical Foundations). These KAs can be reviewed and comments can be submitted at: computer.centraldesktop.com/swebokv3review/ The review period for these KAs extends from March 2 to March 31, 2012. Three of the SWEBOK V3 KAs (Computing Foundations, Software Construction, and Software Configuration Management) have been reviewed and the review period is closed; the KA editors are resolving the public review comments. Resolution of submitted comments for all KAs will be displayed on the SWEBOK V3 Web site as they become available. All review comments, as well the names and countries of the reviewers providing the comments, will be made public. Email addresses, affiliations, and other identifying information of reviewers will not be made public. Present and potential reviewers will be notified when additional KAs become available for review. Each KA, when posted, will be available for review for 30 calendar days from the date of posting. For further information or help please contact Dick Fairley, chair of the SWEBOK V3 Change Control Board at d.fair...@computer.org<mailto:d.fair...@computer.org>. To contribute to SEWORLD, send your submission to mailto:sewo...@sigsoft.org http://www.sigsoft.org/seworld provides more information on SEWORLD as well as a complete archive of messages posted to the list. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers
Hi SC-L, I would have hoped that "Software Security" should have been a topic area in SWEBOK, right alongside "Software Quality", but it doesn't look like it... -Martin Opprinnelig melding Emne: [SEWORLD] SWEBOK Version 3 Call for Reviewers Dato: Fri, 2 Mar 2012 10:53:26 -0700 Fra:Dick Fairley Til:sewo...@sigsoft.org *Call for Reviewers of Three New Knowledge Area Descriptions for the* *Guide to the Software Engineering Body of Knowledge* The IEEE Computer Society is now soliciting public review comments on three knowledge areas (KAs) for Version 3 of the Guide to the Software Engineering Body of Knowledge (SWEBOK V3). SWEBOK V3 is an update to the 2004 version of the SWEBOK Guide, which is also known as Technical Report ISO/IEC TR 19759. The 15 KAs in SWEBOK V3 are being published incrementally as they become available for review. The purposes of the SWEBOK Guide are: to characterize the contents of the software engineering discipline; to promote a consistent view of software engineering worldwide; to clarify the place of, and set the boundary of software engineering with respect to other disciplines; to provide a foundation for training materials and curriculum development; and to provide a basis for certification and licensing of software engineers. Three new KAs are now available for review (Software Engineering Methods and Models; Software Maintenance; and Mathematical Foundations). These KAs can be reviewed and comments can be submitted at: computer.centraldesktop.com/swebokv3review/ The review period for these KAs extends from March 2 to March 31, 2012. Three of the SWEBOK V3 KAs (Computing Foundations, Software Construction, and Software Configuration Management) have been reviewed and the review period is closed; the KA editors are resolving the public review comments. Resolution of submitted comments for all KAs will be displayed on the SWEBOK V3 Web site as they become available. All review comments, as well the names and countries of the reviewers providing the comments, will be made public. Email addresses, affiliations, and other identifying information of reviewers will not be made public. Present and potential reviewers will be notified when additional KAs become available for review. Each KA, when posted, will be available for review for 30 calendar days from the date of posting. For further information or help please contact Dick Fairley, chair of the SWEBOK V3 Change Control Board at d.fair...@computer.org. To contribute to SEWORLD, send your submission to mailto:sewo...@sigsoft.org http://www.sigsoft.org/seworld provides more information on SEWORLD as well as a complete archive of messages posted to the list. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___