[cap-talk] "No processes or practices have currently been shown to
consistently produce secure software."
iang at systemics.com
Fri May 21 16:03:18 EDT 2004
Dear caps people,
I wrote a quite critical blog entry (above) on a USG report
entitled "Security Across the Software Development Lifecycle
Task Force" ... which ended with this para:
Also striking was the absence of any mention of actual
security: things like E, Eros, etc: "No processes or
practices have currently been shown to consistently
produce secure software [B1.iii]." Instead, we see calls
to certify this, verify that, and measure those. In short,
more window dressing is required (am I the only one who's
offended by the ugly nakedness behind the panes?).
Which must have struck home as just now, this turned up:
with a quite silly ad hominem attack taking up half of the
article. Finally, it ends with:
Be that as it may, Grigg's "Financial Cryptography"
Weblog calls the Task Force report on life-cycle
software security "a scary document." He calls the
report's recommendations a collection of "calls to
certify this, verify that, and measure those"; in
particular, he takes the report to task for its
dismissive statement (on page 6, which is the eighth
page of the Task Force PDF document hyperlinked near
the top of this column) that "No processes or practices
have currently been shown to consistently produce secure
Ignoring Mr Coffee's silliness, anyone care to comment on the
statement in dispute (in subject line) and my implication
that E, Eros, caps in general might have been mentioned?
More information about the cap-talk