[OWASP-TESTING] Re: [OWASP-LEADERS] Software specification template

Andrew van der Stock vanderaj at greebo.net
Thu Sep 8 08:25:18 EDT 2005

I am at the beginning of writing my four year old outline into a  
secure solutions architecture book for Addison Wesley. However, this  
is a long way away. :)

In the meantime, I suggest you look at the usual suspects of today's  
fads, like FDD, TDD, XP / RUP / agile programming in general.

It is my current experience on a very very large project that the old  
waterfall model (or even partial hybrid agile/waterfalls) with  
Solution Architectures/HLD/DDD etc eventually work, but very very  
slowly and produce a mountain of useless paper (he says, guilty of  
producing at least some of this mountain). The waterfall model is  
extremely inefficient - double the time and resource budget over  
initial estimates, and cut delivered features by ~ 25% and that's far  
more realistic for a 1.0 release.

What *doesn't* work is writing a spec and out tasking the spec to be  
developed externally. I have *never* seen this work, and the half  
baked results have *always* been insecure. This is because

a) the spec is hard and fast and this is what the out tasker will  
cost and deliver
b) western writers do not know how to write specs properly ("do as I  
imagined, not as I wrote")
c) the out-tasker's job is not to produce your imagined deliverable,  
but to make money on a fixed price, fixed feature usually badly  
written spec

It is safe to use out taskers ... as long as you use an agile process  
with them, so they're there for the ride and reap the benefits of  
delivering good quality milestones on time and take pain for bad  
security / late deliverables / poor results.

In all cases, give them the OWASP Guide and buy and supply them with  
copies of Writing Secure Code (Howard & LeBlanc) to develop against -  
this will reduce the amount of re-work they will have to do. The cost  
of the book for each dev is far, far cheaper than re-working even one  
security blemish.


On 08/09/2005, at 6:52 PM, Daniel wrote:

> Morning all,
> Sorry for the cross posting here, but does anyone have a
> reference/template for designing software applications?
> Ideally im looking for guidelines on the correct manner in creating  
> the
> spec of how you would like an app to be developed
> Thanks
> Daniel
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle  
> Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *  
> Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/ 
> bsce5sf
> _______________________________________________
> Owasp-leaders mailing list
> Owasp-leaders at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-leaders

More information about the Owasp-testing mailing list