26 November 2010

Standards and Source Code Review

Last night I attended the ISACA London technical event on ISO Technical Standards, presented by David Fatscher of BSI. His excellent presentation described many standards and associated BSI products, including BS 10012:2009 Data protection - Specification for a Personal Information Management System (PIMS) (which I mentioned in June). When BS 10012 was launched, BSI also released a related tool Data Protection Online to help ensure a PIMS meets the requirements of the standard.

I realised this is exactly the same approach of another tool released a week ago by David Rook (Security Ninja). The Agnitio tool guides you through the process of application categorisation and undertaking & recording security source code reviews. It encourages a consistent approach to reviewing source code and the generated reports can even be validated for integrity.

Screen capture from Agnitio v1.0.0 showing the security review report tab

Like the BSI tool which relates to BS 10012:2009, Agnitio relates to David Rook's Principles of Secure Development, which is rather like a standard for developers in many ways. Standards need supporting guidance, templates and tools—David Rook shows how this can be done. I'm sure he'll welcome feedback on the tool.

Agnitio is free to download and use.

Posted on: 26 November 2010 at 09:53 hrs

Comments Comments (4) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Looks like an ms xcel on steroids.
1 Added by eoin Posted on 28 November 2010 at 17:32 hrs
The document, principles of secure dev is not about secure dev but rather secure coding, it is flawed at that
2 Added by noop Posted on 28 November 2010 at 17:35 hrs
Hi,

@eoin - not sure if the steroids comment is a good or bad thing, I'm always open to feedback so let me know :)

@noop In some ways I actually agree, in some other ways I don't. I think your comment reflects some of the issues we have in information security - the constant in fighting and "one up man ship" that goes on prevents us from really progressing. I won't go into that in this comment, see work from people like Josh Corman for more information.

Where I do kind of agree is the naming of the document and the content of it. What was published was never meant to be an all encompassing document. In fact the whole principles idea was never really planned to become what it has become so its kind of grown "weirdly" and I'm the first to admit the documentation that has been published so far isn't as complete as it could/should be.

That said it has been adopted by many companies including Fortune 500's, the NYSE and various other big name companies in many different ways in their SDLC's from awareness training to code review procedures. I feel the approach has merit and does work (feel free to contact me for people you can contact to discuss how they implemented the principles). This is (in my opinion) further backed up by the fact I've been offered three publishing deals with large IT book publishers and spoken at many conferences about this approach.

To cut a long story short I turned the publishing deals down but still wrote a books worth of content, this will be published early in 2011 for free online.

But as I always say I'd love feedback, good or bad on the principles, Agnitio or anything else I do or publish but your comment doesn't really tell me much so please feel free to elaborate here or contact me directly.

Thanks

Dave
3 Added by David Rook Posted on 01 December 2010 at 22:49 hrs
I think there is plenty of space for everyone's ideas - there are many problems to solve. What I like about David's approach, and why I mentioned it here, is the developer focus, and that he has actually published something usable. It is even better that it's free to access and use. It is always possible to improve something, but it takes a lot of effort to get to an initial release.

I'd encourage providing feedback and suggestions to David Rook as he asks.
4 Added by Clerkendweller Posted on 02 December 2010 at 08:13 hrs
Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Standards and Source Code Review
http://www.clerkendweller.com/2010/11/26/Standards-and-Source-Code-Review
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2010/11/26/Standards-and-Source-Code-Review
Requested by 38.107.179.220 on Thursday, 17 May 2012 at 22:08 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2010-2012 clerkendweller.com