This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ✦
for incident reporting and handling? 3 OE 1 OE 2 OE 3 Yes/No ✦Do the majority of projects document some
requirements for the operational environment?
✦Do most projects check for security updates
to third-party software components?
✦Is a consistent process used to apply upgrades
and patches to critical dependencies?
✦Do most project leverage automation to check
application and environment health?
✦Are stakeholders aware of options for additional tools
to protect software while running in operations?
✦Does routine audit check most projects
for baseline environment health? Operational Enablement Yes/No ✦Are security-related alerts and error conditions
documented for most projects?
✦Are most project utilizing a change management
process that’s well understood?
✦Do project teams deliver an operational security
guide with each product release?
✦Are most projects being audited to check each release
for appropriate operational security information?
✦Is code signing routinely performed on software
components using a consistent process? SAMM / Applying the Model - v1.0 ✦Do you deliver security notes with the
majority of software releases? 25 Creating Scorecards
after Based on the scores assigned to each Security Practice, an organization can create a scorecard to capture those values. Functionally, a
scorecard can be the simple set of 12 scores for a particular time.
However, selecting a time interval over which to generate a scorecard facilitates understanding of overall changes in the assurance
program during the time frame. Strategy &
Metrics 2 Policy &
Compliance 1 ✦Gap analysis - Capturing scores from detailed
assessments versus expected performance levels
✦Demonstrating improvement - Capturing scores from before
and after an iteration of assurance program build-out
✦Ongoing measurement - Capturing scores over consistent time
frames for an assurance program that is already in place Education &
Guidance 1+ Threat
Assessment 1 The figure on the right shows an example scorecard for how an
organization’s assurance program changed over the course of one
year. If that organization had also saved the data about where they
were planning on being at the end of the year, that would be another
interesting data set to plot since it would help show the extent to
which the plans had to change over the year. Security
Requirements 3 2 Using interval scorecards is encouraged for several situations: E
PL EX Design
Review AM Secure
Architecture 2 2
2 1 Vulnerability
Management 0+ Environment
Hardening 26 2 Security
Testing SAMM / Applying the Model - v1.0 Code
Review 1 Operational
Enablement 2 3 2 1 1 3 Building Assurance Programs
Phase 4 Conduct
assessment Start Create
roadmap no Existing
Review EX After a roadmap is established, the buil...
View Full Document
- Spring '14