Unformatted text preview: typical application alerts ✦Additional Education & Training courses for
QA Testers, Managers & Architects;
✦Conduct data asset classification and set security goals;
✦Develop the risk assessment methodology into a threat
modeling approach with attack tress and profiles;
✦Review and identify security requirements
per application platform;
✦Introduction of automated tools to assist with code coverage
and security analysis of existing applications and new code bases;
✦Review and enhance existing penetration testing programs;
✦Enhance the existing software development life-cycle to
support security testing as a part of the development process.
VirtualWare adapted the existing application security training program, to provider a smaller less technical version as a Business Application Security awareness program. This was a shorter 4 hour
course, and was extended to Managers, Business Owners of the
A high-level review of the existing code review and penetration
testing programs identified that the process was inadequate and
needed to be enhanced to provide better testing and results on
application security vulnerabilities.The team set out to implement a
new program of performing penetration testing and code reviews.
As a part of this program, each senior developer in a program team
was allocated approximately 4 days to perform a high-level source
code review of their application.
VirtualWare management understood that the infrastructure and
applications are tightly integrated, and during this phase the operational side of the application platforms (infrastructure) was reviewed. This phase looked at the infrastructure requirements and
application integration features between the recommended deployed hardware and the application interfaces.
During this phase the strategic roadmap and methodology for application security was reviewed by the project team. The objective
of this review and update was to formally classify data assets and set
the appropriate level of business risk associated with the data assets
and applications. From this the project team was able to set security
goals for these applications. Implementation Costs
A significant amount of internal resources and costs were invested
in this phase of the project. There were three different types of
costs associated with this phase. Internal Resource Requirements
Internal resource effort used in the creation of content, workshops
and review of application security initiatives within this phase. Effort
is shown in total days per role.
Developer Architect Manager
Operations 8 days Business
Owner 10 QA Tester days 8 days Security
Auditor 5 days 3 days 15 days 2 days Training Resource Requirements (Training per person for period)
Additional personnel within VirtualWare was required to attend a
training course, and therefore several roles had time allocated to
training on application security.
(per person) 1 day Manager
View Full Document
- Spring '14