| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Mar 2 17:25:17 2006 From: cmeinel at techbroker.com (Carolyn Meinel) Subject: Murray's comments on McGraw's new book off the mark Yesterday in the SANS NewsBytes, Bill Murray made a comment about Gary McGraw's new book on software security that was off the mark: "Wrong focus. Most of these 'touchpoints' are about late flaw detection and removal." However, even a cursory reading of "Software Security: Building Security In" (Addison Wesley, 2006) makes it evident that McGraw emphasizes early prevention. McGraw's touchpoints are: 1) Requirements and use cases 2) Architecture and Design 3) Test plans 4) Code 5) Tests and test results 6) Feedback from the field The first four come before new software even runs for the first time. Furthermore, McGraw makes a powerful case of the economic value of those first four. For example, Fig. 2-2 on page 74 shows "Security ROI (Return on Investment) by Phase." It assigns the highest ROI to the first two touchpoints, which are the pre-coding design phases. It assigns the lowest ROI to testing. Figure 3-2 on page 92 shows "Cost of Fixing Defects at Each Stage of Software Development." It shows an almost zero cost for avoiding defects in the requirements and design phases, slightly more to the coding phase, and by far the highest cost to the last two touchpoints of testing and maintenance. Furthermore, McGraw's approach to software security is entirely consistent with the CMMI Guidelines for Process Integration and Development, and therefore is within the mainstream of engineering quality control. He adds essential details relevant to computer security to known good practices in any engineering design process. By contrast, essentially everything anyone else has written about computer security falls into the category of fixing existing defects. If computer security professionals want to ensure the viability of their careers over the upcoming decades, knowledge of how to build security into the software development process will be a big asset. As Keith Rhodes, Chief Technologist and Director, Center for Technology and Engineering at the Government Accounting Office has said, "You can pay me now by coding it right, or pay me later. Go to the bookstore and check out the computer shelves. They come in two sections: books about crap, and books about how to survive crap. Surviving means workarounds, and they introduce their own problems." The success of McGraw's series of books on software security suggests that many software developers are getting religion: don't code crap any more!
Powered by blists - more mailing lists