Rob Caron

Developer-related topics and other stuff.

Build Security In (BSI)

Build Security In (BSI)

  • Comments 2

Here’s a government site on building software that is more secure. As the site notes, “The content is based on the principle that software security is fundamentally a software engineering problem and must be addressed in a systematic way throughout the software development life cycle.” They even have some of the usual suspects from Microsoft on the reviewer list: Michael Howard, Shawn Hernan, and Steve Lipner. It appears that the site has been around since early last year, but there are still several areas under development.

Build Security In

What is "Build Security In" (BSI)?

Build Security In is a project of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). The Software Engineering Institute (SEI) was engaged by the NCSD to provide support in the Process and Technology focus areas of this initiative. The SEI team will develop and collect software assurance and software security information that will help software developers, architects, and security practitioners to create secure systems.

Although the site does not endorse any particular tools vendor it seems to me that there are a number of areas where features of Team System would apply, such as source code analysis and project management.

Another handy resource is this white paper by Howard & Lipner, and of course, the Microsoft Security Developer Center:

The Trustworthy Computing Security Development Lifecycle

This paper discusses the Trustworthy Computing Security Development Lifecycle (or SDL), a process that Microsoft has adopted for the development of software that needs to withstand malicious attack. The process encompasses the addition of a series of security-focused activities and deliverables to each of the phases of Microsoft's software development process.

  • You indicate that "It appears that the site has been around since early last year, but there are still several areas under development." Actually, the web site was launched late this year on Oct 3, 2005. We will continue to populate the site and update the information. Input from stakeholders is always welcome.

    v/r,

    Joe Jarzombek
    Director for Software Assurance
    DHS NCSD
  • Oh, okay. I was going by the dates on some of the articles, which go back to 2004.
Page 1 of 1 (2 items)
Leave a Comment
  • Please add 4 and 8 and type the answer here:
  • Post