On Tue, 27 Aug 1996, Igor Chudov @ home wrote:
Adam Shostack wrote:
A few weeks back, I posted a request for source code review guidelines. I got about 50 me-toos, but no guidelines. So I wrote some I think are decent. They're still in draft format. I'd appreciate feedback & commentary on them.
Sorry. I missed your first post. The Security Engineering CMM effort has also been looking at methods that are used to create assurances in trusted systems/components/products. One of these is, of course, code examination and quality reviews. You may want to check out what they've done. There are not necessarily "steps" to be followed, but rather how the PA (process area) relates to the ability of an organization to perform security engineering (i.e., it's maturity). I haven't been in the PA's for awhile, but there *may* be something there that you can use. GRCI sits on both the authoring group and the steering committee for the SSE CMM. If you need more info, let me know and I'll hook you up with someone. The group is always looking for someone to test the implementation of the security engineering CMM products through pilot testing. Point your browser at http://www.ssecmm.ashton.csc.com/ and then rummage. There's stuff buried all over the server, but you probably will be most interested in the peer review, security vulnerability analysis, and quality management portions. As I recall (I can't get to the site right now), a lot of stuff is in RTF and not HTML, so you may have to DL it instead of look at it online. ------------------------------------------------------------------------- |And if Dole wins and dies in office, they| Mark Aldrich | |could just pickle him and no one would | GRCI INFOSEC Engineering | |notice. It wouldn't be the first time we| maldrich@grci.com | |had a dill-dole running the country. | MAldrich@dockmaster.ncsc.mil| | -- Alan Olsen | | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich@grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | -------------------------------------------------------------------------