http://www.tssci-security.com/archives/2008/03/24/security-in-the-sdlc-is-not-just-code-review/ top secret/secure computing information Fri, 08 Aug 2008 18:16:05 +0000 http://wordpress.org/?v=2.2.3 http://www.tssci-security.com/archives/2008/03/24/security-in-the-sdlc-is-not-just-code-review/#comment-5276 roodee Tue, 25 Mar 2008 15:17:27 +0000 http://www.tssci-security.com/archives/2008/03/24/security-in-the-sdlc-is-not-just-code-review/#comment-5276 It is a sad state of affairs when the PCI DSS requirements become the litmus test for "Security in the SDLC". Like you, I've tried to inform well-intentioned people and groups that code review is a only a component in an overall application security program . After the blank stares subside I reflect on the many applications I have reviewed that are fundamentally flawed in their approach or design. In my opinion, if code-review is the only security checkpoint in the design and construction of an application then there are implicit assumptions, many times hidden, about the quality of a design. This is a dangerous assumption to bet on. It is a sad state of affairs when the PCI DSS requirements become the litmus test for “Security in the SDLC”. Like you, I’ve tried to inform well-intentioned people and groups that code review is a only a component in an overall application security program . After the blank stares subside I reflect on the many applications I have reviewed that are fundamentally flawed in their approach or design. In my opinion, if code-review is the only security checkpoint in the design and construction of an application then there are implicit assumptions, many times hidden, about the quality of a design. This is a dangerous assumption to bet on.

]]>