Jeff Williams jeff.williams at aspectsecurity.com
Wed Sep 15 14:54:07 EDT 2004


Here is a link to the "Joel Test."  He writes... "Have you ever heard of SEMA? It's a fairly esoteric system for measuring how good a software team is. No, wait! Don't follow that link! It will take you about six years just to understand that stuff. So I've come up with my own, highly irresponsible, sloppy test to rate the quality of a software team. The great part about it is that it takes about 3 minutes. With all the time you save, you can go to medical school."  http://www.joelonsoftware.com/articles/fog0000000043.html

Also, here are the questions from the (never used) marketing piece I mentioned.  We tried to cover people, process, and technology.  I think the questions aren't easy enough to answer and should be shorter like in the Joel Test.

[] Have your programmers been trained in secure programming techniques? Did the class cover vulnerabilities specific to your environment, type of application, and development process?

[] Are the security rules, policies, and requirements for your application documented? Do the rules cover all major security mechanisms and vulnerability areas? Are coding and commenting standards included?

[] Is encryption and decryption carefully implemented? Are all cerfiticates, passwords, keys, and other credentials protected at all times? Is all sensitive information stored in an encrypted or hashed form?

[] Do you validate every piece of information that comes from a user, even if users have no obvious way to change that information? Do you check for allowed content instead of attempting to filter out the bad stuff?

[] Do you have source control and bug-tracking systems? These are indicators that security problems can be tracked to their root causes and your development process can be improved.

[] Does your application's design demonstrate solid security concepts such as defense in depth, fail safe design, least privilege, and open design? Does every design decision include security analysis?

[] Do you have a document that details your environment's secure installation and configuration? Is it really used? Is it consistent with available hardening guidelines and kept up to date?

[] Are your authentication and session management schemes secure? Are all credentials and session identifiers non-guessable and protected at all times? Is the mechanism in one place and easy to check?

[] Is it impossible for one user to access another's information? Have the authorization rules for each role, account, and function been documented in one place? Is the mechanism in one place and easy to check? 

[] Does your project find security vulnerabilities before they become problems or only after? Are all audit reports documented and tracked to completion?


Jeff Williams, CEO
Aspect Security, Inc.
work: 410-707-1487
main: 301-604-4882
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-metrics/attachments/20040915/7825e38a/attachment.html 

More information about the Owasp-metrics mailing list