http://matasanochargen.disqus.com/enThu, 03 Aug 2006 00:15:41 -0000http://www.matasano.com/log/388/do-we-need-an-iso-secure-coding-standard/#comment-2320038Fair point. I think I'm really just pointing out that "building security into the QA process" is underrated and valuable.Thomas PtacekThu, 03 Aug 2006 00:15:41 -0000http://www.matasano.com/log/388/do-we-need-an-iso-secure-coding-standard/#comment-2320037&gt;The solution to the secure coding problem is going <br>&gt;to come from security QA, not secure coding.<br><br>I'm going to disagree with that, I've been implementing security into the SDLC of many large companies for about a year now. In my experience the secure coding problem is eliminated by education, policies, _and_ security QA to catch violations of said polices. With management buy-in essential to every step of the process (You've got an overflow in your code, your bonus just dropped 10%...yes there exist large companies that are implementing this sort of penalty system for policy violations)ErikCWed, 02 Aug 2006 08:36:22 -0000http://www.matasano.com/log/388/do-we-need-an-iso-secure-coding-standard/#comment-2320036The solution is not more lists of things not to do, its checking technology to tell you when you did do one of those things.<br><br>NIST SAMATE already has a short list of things not to do in their Source Code Analysis Tool Functional SpecificationChris W.Fri, 28 Jul 2006 14:51:33 -0000