{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

50 of projects with code review and stakeholder sign

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: de Since code-level vulnerabilities can have dramatically increased impacts if they occur in security-critical parts of software, project teams should review high-risk modules for common vulnerabilities. Common examples of high-risk functionality include authentication modules, access control enforcement points, session management schemes, external interfaces, input validators and data parsers, etc. Utilizing the code review checklists, the analysis can be performed as a normal part of the development process where members of the project team are assigned modules to review when changes are made. Security auditors and automated review tools can also be utilized for the review. During development cycles where high-risk code is being changed and reviewed, development managers should triage the findings and prioritize remediation appropriately with input from other project stakeholders. Results ✦✦Inspection for common code vulnerabilities that lead to likely discovery or attack ✦✦Lightweight review for coding errors that lead to severe security impact ✦✦Basic code-level due diligence for security assurance Success Metrics ✦✦>80% of project teams briefed on relevant code review checklists in past 6 months ✦✦>50% of project teams performing code review on high-risk code in past 6 months ✦✦>3.0 Likert on usefulness of code review checklists reported by developers Costs ✦✦Buildout or license of code review checklists ✦✦Ongoing project overhead from code review activities of high-risk code Personnel ✦✦Developers (2-4 days/yr) ✦✦Architects (1-2 days/yr) ✦✦Managers (1-2 days/yr) ✦✦Business Owners (1 day/yr) Related Levels ✦✦Security Requirements - 1 SAMM / The Security Practices - v1.0 Activities 63 CR 2 Code Review Make code review during development more accurate and efficient through automation Results ✦✦Development enabled to consistently self-check for codelevel security vulnerabilities ✦✦Routine analysis results to compile historic data on perteam secure coding habits ✦✦Stakeholders aware of unmitigated vulnerabilities to support better tradeoff analysis Activities A. Utilize automated code analysis tools Many security vulnerabilities at the code level are complex to understand and require careful inspection for discovery. However, there are many useful automation solutions available to automatically analyze code for bugs and vulnerabilities. There are both commercial and open-source products available to cover popular programming languages and frameworks. Selection of an appropriate code analysis solution is based on several factors including depth and accuracy of inspection, product usability and usage model, expandability and customization features, applicability to the organization’s architecture and technology stack(s), etc. Add’l Success Metrics Utilize input from security-savvy technical staff as well as developers and development managers in the selection process, and review overall results with stakeholders. ✦✦>50% of projects with code review and stakeholder s...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online