lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7.0.1.0.2.20060302102044.03b189c8@techbroker.com>
Date: Thu Mar  2 17:25:17 2006
From: cmeinel at techbroker.com (Carolyn Meinel)
Subject: Murray's comments on McGraw's new book off the
	mark

Yesterday in the SANS NewsBytes, Bill Murray made a comment about
Gary McGraw's new book on software security that was off the mark:
"Wrong focus.  Most of these 'touchpoints' are about late flaw
detection and removal." However, even a cursory reading of "Software
Security: Building Security In" (Addison Wesley, 2006) makes it
evident that McGraw emphasizes early prevention.

McGraw's touchpoints are:
1) Requirements and use cases
2) Architecture and Design
3) Test plans
4) Code
5) Tests and test results
6) Feedback from the field

The first four come before new software even runs for the first time.
Furthermore, McGraw makes a powerful case of the economic value of
those first four. For example, Fig. 2-2 on page 74 shows "Security
ROI (Return on Investment) by Phase." It assigns the highest ROI to
the first two touchpoints, which are the pre-coding design phases. It
assigns the lowest ROI to testing. Figure 3-2 on page 92 shows "Cost
of Fixing Defects at Each Stage of Software Development." It shows an
almost zero cost for avoiding defects in the requirements and design
phases, slightly more to the coding phase, and by far the highest
cost to the last two touchpoints of testing and maintenance.

Furthermore, McGraw's approach to software security is entirely
consistent with the CMMI Guidelines for Process Integration and
Development, and therefore is within the mainstream of  engineering
quality control. He adds essential details relevant to computer
security to known good practices in any engineering design process.
By contrast, essentially everything anyone else has written about
computer security falls into the category of fixing existing defects.

If computer security professionals want to ensure the viability of
their careers over the upcoming decades, knowledge of how to build
security into the software development process will be a big asset.
As Keith Rhodes, Chief Technologist and Director, Center for
Technology and Engineering at the Government Accounting Office has
said, "You can pay me now by coding it right, or pay me later. Go to
the bookstore and check out the computer shelves. They come in two
sections: books about crap, and books about how to survive crap.
Surviving means workarounds, and they introduce their own problems."
The success of McGraw's series of books on software security suggests
that many software developers are getting religion: don't code crap any more!


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ