Review: Security Policies and the Software Developer

Security Policies and the Software Developer
Found in: IEEE Security and Privacy
By Denis Verdon
Issue Date:July 2006
pp. 42-49

I found this by searching for "baseline security policy" on computer.org digital library, it was about halfway down the second page of results.

Link: http://www2.computer.org/portal/web/csdl/abs/html/mags/sp/2006/04/j4042.htm

This is a pretty high level article (not terribly in-depth) but glancing through it I saw it had some nice information categorized.

Different Policy Types (across all kinds of different domains) - Even though they are all "policies" they each mean and contain totally different things, and I think it would help our work a lot if we clearly state which types of policies we address:

• Corporate security policy
• Acceptable use policy
• Privacy policy
• Email policy
• Information (systems) security policy
• Network security policy
• Secure application development policy
• Incident management policy
• Data classification policy
• Policy exemption process

Some of these are likely unrelated to our work, but each probably has different standards and mechanisms of expression.

"To meet the research needs, public communities of interest or working groups usually sprout up, acting as clearing houses for knowledge on threats and countermeasures." they then claims there are 3 distinct groups that do research in these areas:

• "de facto bodies, often evolved from loose communities of interest, such as SANS (www.sans.org);
  
• government-sponsored bodies, such as US-CERT;
  
• and not-for-profit or non-governmental organizations and standards bodies, such as the International Standards Organization, the IEEE, or the Center for Internet Security (www.cisecurity.org)"

Not that this classification really gets us anywhere, but I like that someone else has already stratified the areas that we would likely need to look towards. The article then goes on to look at standards that are prevalent (again I think this document is from a legal-protection viewpoint so its not totally helpful but still worth looking into).

Some of the groups they briefly review (although some of these are just best practices documents, but still, maybe that is who we should turn to for developing the baseline):

• Build Security In (BSI, https://buildsecurityin.us-cert.gov)
• The Open Web Application Security Project (www.owasp.org/documentation)
• Microsoft Developer Network (MSDN; http://msdn.microsoft.com/security)
• Sun Developer Network's Reference on Java Security (http://developers/sun.com/ techtopics/security/javasecurity/reference/techart/ index.html#2)