Are project teams building software from centrally

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: re Architecture Yes/No ✦Are most project teams aware of secure ✦ design principles and applying them? ✦Do you advertise shared security services ✦ with guidance for project teams? ✦Are project teams provided with prescriptive design ✦ patterns based on their application architecture? ✦Are project teams building software from centrally ✦ controlled platforms and frameworks? ✦Are project teams being audited for usage of ✦ secure architecture components? SAMM / Applying the Model - v1.0 ✦Are project teams provided with a list of ✦ recommended third-party components? 23 Verification Assessment worksheet Design Review Yes/No ✦Do project teams document the attack ✦ perimeter of software designs? ✦Do project teams check software designs ✦ against known security risks? DR Code Review 1 CR 2 CR ✦Does routine project audit require a ✦ baseline for design review results? 3 CR ✦Does the design review process incorporate ✦ detailed data-level analysis? 2 DR ✦Are most project stakeholders aware of how ✦ to obtain a formal design review? 1 DR ✦Do most project teams specifically analyze design ✦ elements for security mechanisms? 3 ST 1 ST 2 ST 3 Yes/No ✦Do most project teams have review checklists ✦ based on common problems? ✦Are project teams generally performing ✦ review of selected high-risk code? ✦Can most project teams access automated code ✦ analysis tools to find security problems? ✦Do most stakeholders consistently require ✦ and review results from code reviews? ✦Do project teams utilize automation to check code ✦ against application-specific coding standards? ✦Does routine project audit require a baseline ✦ for code review results prior to release? Security Testing Yes/No SAMM / Applying the Model - v1.0 ✦Are projects specifying some security ✦ tests based on requirements? 24 ✦Do most projects perform penetration tests prior to release? ✦ ✦Are most stakeholders aware of the security ✦ test status prior to release? ✦Are projects using automation to evaluate security test cases? ✦ ✦Do most projects follow a consistent process to evaluate ✦ and report on security tests to stakeholders? ✦Are security test cases comprehensively ✦ generated for application-specific logic? ✦Do routine project audits demand minimum ✦ standard results from security testing? Deployment Assessment worksheet Vulnerability Management Yes/No ✦Do most projects have a point of contact for security issues? ✦ ✦Does your organization have an assigned security response team? ✦ ✦Are most project teams aware of their security ✦ point(s) of contact and response team(s)? VM Environment Hardening 1 EH 2 EH ✦Do most projects consistently collect and report ✦ data and metrics related to incidents? 3 EH ✦Are most incidents inspected for root causes ✦ to generate further recommendations? 2 VM ✦Are most project stakeholders aware of relevant security ✦ disclosures related to their software projects? 1 VM ✦Does the organization utilize a consistent process...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online