[WEB SECURITY] Q&A: Gary McGraw talks about building security into the SDLC

valkyrie at hacktek.com valkyrie at hacktek.com
Fri May 12 09:43:40 EDT 2006 

Several reasons I can think of.  First, it adds to the cost of
development; money the organization does not wish to spend.  It adds
additional time to the development cycle; of which the company does not
wish spend.  Finally, industry people/experts have been talking about this
for years, that it's the right thing to do, but that does not mean that
clients are listening.

Oh, and there already is a great book out there that has presented
security  in SDLC issues.  It's titled the Handbook of Information
Security Management, published by Auerbach Press. It's been around for
quite some time.

Regards.


Davidson, Michelle wrote:
> If it's agree that security should be included in every part of the
> SDLC, then why do so many people I speak to say few are doing this? Why
> do so many industry people/experts keep stressing the need for it?
>
>
> -----Original Message-----
> From: Dan Kuykendall [mailto:dan at kuykendall.org]
> Sent: Thursday, May 11, 2006 11:07 PM
> To: Jason Muskat
> Cc: Davidson, Michelle; websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] Q&A: Gary McGraw talks about building
> security into the SDLC
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I discuss this in one of my podcasts as well.
> http://www.mightyseek.com/podcasts/security-during-the-software-developm
> ent-life-cycle
>
> This podcast includes a PDF of the slides that go along with it.
>
> and, as you say, security is not a phase, it should be part of every
> step of the SDLC
>
> Jason Muskat wrote:
>> Hello,
>>
>> Security in the SDLC.. I asked about security the first day in this
> one
>> course I took. The professor was perplexed. After all security IS in
> the
>> SDLC. It should be defined in Requirements Analysis. What a visionary.
>>
>> Security should not exist as a stage/phase, but encompass the whole of
>> the SDLC for security to be effective.
>>
>> Regards,
>>
>> --
>> *Jason Muskat*  | GCUX - de VE3TSJ
>> ____________________________
>> *TechDude
>> e.* Jason at TechDude.Ca
>> *m.* 416 .414 .9934
>>
>> http://TechDude.Ca/
>>
>>
>>
> ------------------------------------------------------------------------
>> *From: *"Davidson, Michelle" <MDavidson at techtarget.com>
>> *Date: *Wed, 10 May 2006 09:42:42 -0400
>> *To: *<websecurity at webappsec.org>
>> *Conversation: *Q&A: Gary McGraw talks about building security into
> the SDLC
>> *Subject: *[WEB SECURITY] Q&A: Gary McGraw talks about building
> security
>> into the SDLC
>>
>> Hi everyone,
>>
>> Recently Gary McGraw, author of the book Software Security: Building
>> Security In, talked with the editors at SearchAppSecurity.com about
> ways
>> to include security in the development life cycle without having to
>> completely change your development process. He talks about best
>> practices developers and architects should be doing ? he calls them
>> touchpoints ? and they include code review and architectural risk
> analysis.
>>
>> You can read the full Q&A here (registration to the site is NOT
> required):
>>
> http://searchappsecurity.techtarget.com/qna/0,289202,sid92_gci1187360,00
> .html
>>
>>
>> Have a great day!
>> Michelle
>>
>>
>>
>> *Michelle Davidson
>> *Editor
>> SearchAppSecurity.com
>> TechTarget
>>
>> 4025 Sea Grape Circle
>> Delray Beach, FL  33445
>>
>> Phone: 561-302-1120
>> Fax: 561-496-1860
>> AIM: MicheDav910
>>
>> TechTarget
>> The Most Targeted IT Media
>> www.techtarget.com <http://www.techtarget.com/>
>>
>>
>
> - --
> Dan Kuykendall (aka Seek3r)
> http://www.mightyseek.com
>
> In God we trust, all others we virus scan.
> Programmer - an organism that turns coffee into software.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFEY/vnK8FkGutbdPMRAoSPAKCJMcBH4geP458JtNAX8fA/+nD90ACgqRPZ
> 4qztA3bv560ZPBU+7mLxgIQ=
> =yuma
> -----END PGP SIGNATURE-----
>
> - Sponsored Advertisement
> --------------------------------------------------
> The Software Security Summit is the only event that addresses security
> issues at the application development level. Join us Jun 5-7, Baltimore,
> MD.
> http://www.s-3con.com
> ----------------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>


-- 
Sapere Aude


- Sponsored Advertisement --------------------------------------------------
The Software Security Summit is the only event that addresses security
issues at the application development level. Join us Jun 5-7, Baltimore, MD.
http://www.s-3con.com
----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

More information about the websecurity mailing list