Re: Secure Software Development Checklist

There are many different SDLC processes out there. RUP, Agile, Extreme, the various DoJ processes... The Wikipedia entry for SDLC is actually useful (!) as a starting point from a process perspective.

Tools-wise there are also some avenues to look into: Mercury, DevInspect/QAInspect from SPI Dynamics (now HP), FxCop, and others.

This is one of those seemingly simple questions with a bazillion correct answers... depending on your particulars :)

Since this is a PCI-driven initiative, talk with your auditors to get their specific requirements and then tailor your SDLC process to meet their requirements while also making sure you don't cause a revolt at the dev level with onerous processes :0 -- Erin Carroll Moderator, SecurityFocus pen-test list On Thu, 1 Nov 2007, mikef@everfast.com wrote:
> Because I'm the resident security expert, I've been tasked with helping
> our developers ensure new applications meet industry standard
> (particularly PCI) security requirements. I'm thinking about doing some
> sort of checklist that could be used to verify the particular
> requirements are met during the development phase, but I'm not sure
> where to start.=20
>
> Most of the secure coding information relates to web applications,
> however I need to develop rules for a variety of applications ranging
> from web to DOS (yes that's Ms-DOS) to point of sale. Also could the
> checklist be used for a variety programming languages.=
>

• This message: [ Message body ]
• Next message: Craig Wright: "RE: Web Application Vulnerability Scanner"
• Previous message: Brian Laing: "Re: Web Application Vulnerability Scanner"
• In reply to: mikef_at_nospam: "Secure Software Development Checklist"
• Next in thread: rohnskii_at_nospam: "Re: Secure Software Development Checklist"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]