Topic: XpAndSoftwareSecurity
Date and Location: XP Agile Universe 2003, August 12th, 2003
Convener: BilKleb
Attendees: ShawnSmith?, GaryMcGraw, KennethBoucher, BillWood, PiergiulianoBossi, KrisRead?, TomasTarbot?, RobertWenner?, GerardMeszaros?, JanetGregory, MichaelGegick?, BillBereza?, GeorgePaci, JayTarpin?, JustinMartin?, JennittaAndrea?, WayneAllen?, AlanHarriman?
GaryMcGraw's evocative software security talk presented the notion that software security is really an issue that must be addressed at the developer level and that the XP/Agile community appears to have the leverage to make it a reality. The question is how the XP/Agile community best assimilate these software security requirements?
Can we consider Security as motherhood story like some teams handle performance?
Trying to protect broken stuff simply doesn't work, for example, firewalls.
XP/Agile and the Testing community are working together, maybe the same can happen with the security community.
Question, not defend. When some OldFatSecurityGuyWithKeys approaches you with a list of tests that you must pass to justify the security of your code
Refactoring code architecture is scary from a security standpoint and might trigger massive security rework.
To analyze security in code architecture,
Two levels/types of security:
Need to develop an antipattern language. For example, if you have an untrusted component, here are a list of things that might bite you.
Can we using TestDrivenDevelopment for security?
Need education! Reference material? Tutorials? Workshops?
The test to determine if you are dealing with a true software security expert is to find out if they can program. If not, run, don't walk, away from the OldFatSecurityGuyWithKeys. Some security guys don't even know what a compiler is.
Recommended books:
Edit By KennethBoucher :
Security is difficult and it's something very few people are good at.
XP seems to be about doing the difficult things up front and always until they become second nature.
You can decide for yourself if those two points might be related.
Watch for a security paper by Janna Wayrynen, Gustav Bostrom, and Marine Boden to appear in the 2004 conference. --BilKleb
FrontPage
RecentChanges
Date and Location: XP Agile Universe 2003, August 12th, 2003
Convener: BilKleb
Attendees: ShawnSmith?, GaryMcGraw, KennethBoucher, BillWood, PiergiulianoBossi, KrisRead?, TomasTarbot?, RobertWenner?, GerardMeszaros?, JanetGregory, MichaelGegick?, BillBereza?, GeorgePaci, JayTarpin?, JustinMartin?, JennittaAndrea?, WayneAllen?, AlanHarriman?
GaryMcGraw's evocative software security talk presented the notion that software security is really an issue that must be addressed at the developer level and that the XP/Agile community appears to have the leverage to make it a reality. The question is how the XP/Agile community best assimilate these software security requirements?
Can we consider Security as motherhood story like some teams handle performance?
Trying to protect broken stuff simply doesn't work, for example, firewalls.
XP/Agile and the Testing community are working together, maybe the same can happen with the security community.
Question, not defend. When some OldFatSecurityGuyWithKeys approaches you with a list of tests that you must pass to justify the security of your code
Refactoring code architecture is scary from a security standpoint and might trigger massive security rework.
To analyze security in code architecture,
- create a description of the code architecture for the system at a whiteboard level, i.e., the design can fit on a single page using readable fonts
- Perform a risk analysis of this architecture
Two levels/types of security:
- Easy: implementation bugs, e.g., buffer overflows
- Hard: architecture issues, e.g., trusted colaborators
Need to develop an antipattern language. For example, if you have an untrusted component, here are a list of things that might bite you.
Can we using TestDrivenDevelopment for security?
- one test does not assure security, it's an inverse problem
- you want to test for things that your code should not do
Need education! Reference material? Tutorials? Workshops?
The test to determine if you are dealing with a true software security expert is to find out if they can program. If not, run, don't walk, away from the OldFatSecurityGuyWithKeys. Some security guys don't even know what a compiler is.
Recommended books:
- BuildingSecureSoftwareBook
- WritingSecureCodeBook
- SecurityEngineeringBook
- A hacker's guide book due out after Christmas
Edit By KennethBoucher :
Security is difficult and it's something very few people are good at.
XP seems to be about doing the difficult things up front and always until they become second nature.
You can decide for yourself if those two points might be related.
Watch for a security paper by Janna Wayrynen, Gustav Bostrom, and Marine Boden to appear in the 2004 conference. --BilKleb
FrontPage
RecentChanges