

You Can't PDF Your Way to Good Software - baha_man
http://www.codingthewheel.com/archives/You-Cant-PDF-Your-Way-to-Good-Software-Development

======
tptacek
I'll now annoy and patronize you all by again agreeing with the spirit of this
post while disagreeing with the particulars.

Security documentation is different from normal documentation in that it
serves dual purposes, and "comprehensible documentation" is the lesser of the
two. The more important objective of a security standard is to provite citable
line-item rules that can be audited against, and the reason you do that is so
that you can make reviews, tests, and audits objective.

You can argue with the specifics of those rules, but even something as obvious
as "keep windows synchronized with data" could merit a line item if it's
something that bad devs consistantly fuck up, and could be inclined to argue
with ("that's not a security problem and nobody has ever complained about
it!") in a review.

