Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Another opinion on using extreme programming for security
From: Mads Rasmussen (madsopencs.com.br)
Date: Tue Apr 13 2004 - 14:57:20 CDT
I found this excerpt from Matt Bishop's book, "Computer Security, Art &
Science" very nice and wanted to share it.....
"Extreme programming is a development methodology based on rapid
prototyping and best practices such as separate testing components,
frequent reviewing, frequent integration of components, and simple
design. A project is driven by business decisions, not by project
stakeholders, and requirements are open until the project is complete.
The design evolves as needed to remove complexity and add flexibility.
Programmers work in teams or pairs. Component testing procedures and
mechanisms are developed before the components are developed. The
components are integrated and tested several times a day. One objective
of this model is to put a minimal system into production as quickly as
possible and then enhance it as appropriate.
Use of this technique for security has several benefits and several
drawbacks. The nature of an evolving design leaves the product
vulnerable to the problems of an add-on product. Leaving requirements
open does not ensure that security requierements will be properly
implemented into the system. However, if threats were analyzesd and
appropriate security requirements developed before the system was
designed, a secure or thrusted system could result. However, evidence of
trustworthiness would need to be adduced _after_ the system was
developed and implemented."