1996-08-27 - Re: Code Review Guidelines (draft)

Header Data

From: “Mark O. Aldrich” <maldrich@grci.com>
To: “Igor Chudov @ home” <ichudov@algebra.com>
Message Hash: c26532e28e2c889da8d371523f0739a3bdb359643a061aeb7cfdc2dca66a3bcb
Message ID: <Pine.SCO.3.93.960827160057.5158A-100000@grctechs.va.grci.com>
Reply To: <199608271620.LAA10933@manifold.algebra.com>
UTC Datetime: 1996-08-27 22:51:55 UTC
Raw Date: Wed, 28 Aug 1996 06:51:55 +0800

Raw message

From: "Mark O. Aldrich" <maldrich@grci.com>
Date: Wed, 28 Aug 1996 06:51:55 +0800
To: "Igor Chudov @ home" <ichudov@algebra.com>
Subject: Re: Code Review Guidelines (draft)
In-Reply-To: <199608271620.LAA10933@manifold.algebra.com>
Message-ID: <Pine.SCO.3.93.960827160057.5158A-100000@grctechs.va.grci.com>
MIME-Version: 1.0
Content-Type: text/plain


On Tue, 27 Aug 1996, Igor Chudov @ home wrote:

> Adam Shostack wrote:
> > 
> > A few weeks back, I posted a request for source code review
> > guidelines.  I got about 50 me-toos, but no guidelines.  So I wrote
> > some I think are decent.  They're still in draft format.  I'd
> > appreciate feedback & commentary on them.
> > 
> > http://www.homeport.org/~adam/review.html
> > 

Sorry.  I missed your first post.

The Security Engineering CMM effort has also been looking at methods that
are used to create assurances in trusted systems/components/products.  One
of these is, of course, code examination and quality reviews.  You may
want to check out what they've done.  There are not necessarily "steps" to
be followed, but rather how the PA (process area) relates to the ability
of an organization to perform security engineering (i.e., it's maturity).
I haven't been in the PA's for awhile, but there *may* be something there
that you can use.

GRCI sits on both the authoring group and the steering committee for the
SSE CMM.  If you need more info, let me know and I'll hook you up with
someone.  The group is always looking for someone to test the
implementation of the security engineering CMM products through pilot
testing.

Point your browser at http://www.ssecmm.ashton.csc.com/
and then rummage.  There's stuff buried all over the server, but you
probably will be most interested in the peer review, security
vulnerability analysis, and quality management portions.  As I recall (I
can't get to the site right now), a lot of stuff is in RTF and not HTML,
so you may have to DL it instead of look at it online.

------------------------------------------------------------------------- 
|And if Dole wins and dies in office, they|        Mark Aldrich         |
|could just pickle him and no one would   |   GRCI INFOSEC Engineering  |
|notice.  It wouldn't be the first time we|     maldrich@grci.com       |
|had a dill-dole running the country.     | MAldrich@dockmaster.ncsc.mil|
|               -- Alan Olsen             |                             |
|_______________________________________________________________________|
|The author is PGP Empowered.  Public key at:  finger maldrich@grci.com |
|    The opinions expressed herein are strictly those of the author     |
|         and my employer gets no credit for them whatsoever.           |
-------------------------------------------------------------------------






Thread