Are most stakeholders reviewing vendor agreements for

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ✦✦Deeper consideration of full threat profile for each software project ✦✦Detailed mapping of assurance features to established threats against each software project ✦✦Artifacts to document due diligence based on business function of each software project Add’l Success Metrics ✦✦>80% of project teams with updated threat models prior to every implementation cycle ✦✦>80% of project teams with updated inventory of third-party components prior to every release ✦✦>50% of all security incidents identified a priori by threat models in past 12 months Add’l Costs ✦✦Project overhead from maintenance of detailed threat models and expanded attacker profiles ✦✦Discovery of all third-party dependencies Add’l Personnel ✦✦Business Owners (1 day/yr) ✦✦Developers (1 day/yr) ✦✦Architects (1 day/yr) ✦✦Security Auditors (2 day/yr) ✦✦Managers (1 day/yr) Related Levels ✦✦Security Requirements - 2 & 3 SAMM / The Security Practices - v1.0 Activities 49 Security Requirements SR 1 SR 2 SR 3 Increase granularity of security requirements derived from business logic and known risks Mandate security requirements process for all software projects and third-party dependencies A. Derive security requirements from business functionality B. Evaluate security and compliance guidance for requirements A. Build an access control matrix for resources and capabilities B. Specify security requirements based on known risks A. Build security requirements into supplier agreements B. Expand audit program for security requirements Assessment ✦✦Do most project teams specify some security requirements during development? ✦✦Do project teams pull requirements from best-practices and compliance guidance? ✦✦Are most stakeholders reviewing access control matrices for relevant projects? ✦✦Are project teams specifying requirements based on feedback from other security activities? ✦✦Are most stakeholders reviewing vendor agreements for security requirements? ✦✦Are the security requirements specified by project teams being audited? Results 50 Consider security explicitly during the software requirements process Activities SAMM / The Security Practices - v1.0 Objective ✦✦High-level alignment of development effort with business risks ✦✦Ad hoc capturing of industry best-practices for security as explicit requirements ✦✦Awareness amongst stakeholders of measures being taken to mitigate risk from software ✦✦Detailed understanding of attack scenarios against business logic ✦✦Prioritized development effort for security features based on likely attacks ✦✦More educated decisionmaking for trade-offs between features and security efforts ✦✦Stakeholders that can better avoid functional requirements that inherently have security flaws ✦✦Formally set baseline for security expectations from external code ✦✦Centralized information on security effort undertaken by each project team ✦✦Ability to align resources to projects based on appl...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online