A small team has been setup within virtualware to

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: typical application alerts ✦Additional Education & Training courses for ✦ QA Testers, Managers & Architects; ✦Conduct data asset classification and set security goals; ✦ ✦Develop the risk assessment methodology into a threat ✦ modeling approach with attack tress and profiles; ✦Review and identify security requirements ✦ per application platform; ✦Introduction of automated tools to assist with code coverage ✦ and security analysis of existing applications and new code bases; ✦Review and enhance existing penetration testing programs; ✦ ✦Enhance the existing software development life-cycle to ✦ support security testing as a part of the development process. VirtualWare adapted the existing application security training program, to provider a smaller less technical version as a Business Application Security awareness program. This was a shorter 4 hour course, and was extended to Managers, Business Owners of the organization. A high-level review of the existing code review and penetration testing programs identified that the process was inadequate and needed to be enhanced to provide better testing and results on application security vulnerabilities.The team set out to implement a new program of performing penetration testing and code reviews. As a part of this program, each senior developer in a program team was allocated approximately 4 days to perform a high-level source code review of their application. VirtualWare management understood that the infrastructure and applications are tightly integrated, and during this phase the operational side of the application platforms (infrastructure) was reviewed. This phase looked at the infrastructure requirements and application integration features between the recommended deployed hardware and the application interfaces. During this phase the strategic roadmap and methodology for application security was reviewed by the project team. The objective of this review and update was to formally classify data assets and set the appropriate level of business risk associated with the data assets and applications. From this the project team was able to set security goals for these applications. Implementation Costs A significant amount of internal resources and costs were invested in this phase of the project. There were three different types of costs associated with this phase. Internal Resource Requirements Internal resource effort used in the creation of content, workshops and review of application security initiatives within this phase. Effort is shown in total days per role. Developer Architect Manager Support Operations 8 days Business Owner 10 QA Tester days 8 days Security Auditor 5 days 3 days 15 days 2 days Training Resource Requirements (Training per person for period) Additional personnel within VirtualWare was required to attend a training course, and therefore several roles had time allocated to training on application security. Architect (per person) Bus. Owner (per person) 1 day Manager (...
View Full Document

Ask a homework question - tutors are online