B build and maintain technical guidelines for

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: v1.0 Results 42 Education & Guidance EG 1 Offer development staff access to resources around the topics of secure programming and deployment A. Conduct technical security awareness training Either internally or externally sourced, conduct security training for technical staff that covers the basic tenets of application security. Generally, this can be accomplished via instructorled training in 1-2 days or via computer-based training with modules taking about the same amount of time per developer. Course content should cover both conceptual and technical information. Appropriate topics include high-level best practices surrounding input validation, output encoding, error handling, logging, authentication, authorization. Additional coverage of commonplace software vulnerabilities is also desirable such as a Top 10 list appropriate to the software being developed (web applications, embedded devices, client-server applications, back-end transaction systems, etc.). Wherever possible, use code samples and lab exercises in the specific programming language(s) that applies. To rollout such training, it is recommended to mandate annual security training and then hold courses (either instructor-led or computer-based) as often as required based on development head-count. B. Build and maintain technical guidelines For development staff, assemble a list of approved documents, web pages, and technical notes that provide technology-specific security advice. These references can be assembled from many publicly available resources on the Internet. In cases where very specialized or proprietary technologies permeate the development environment, utilize senior, security-savvy staff to build security notes over time to create such a knowledge base in an ad hoc fashion. Ensure management is aware of the resources and briefs oncoming staff about their expected usage.Try to keep the guidelines lightweight and up-to-date to avoid clutter and irrelevance. Once a comfort-level has been established, they can be used as a qualitative checklist to ensure that the guidelines have been read, understood, and followed in the development process. Results ✦✦Increased developer awareness on the most common problems at the code level ✦✦Maintain software with rudimentary security best-practices in place ✦✦Set baseline for security knowhow among technical staff ✦✦Enable qualitative security checks for baseline security knowledge Success Metrics ✦✦>50% development staff briefed on security issues within past 1 year ✦✦>75% senior development/ architect staff briefed on security issues within past 1 year ✦✦Launch technical guidance within 3 months of first training Costs ✦✦Training course buildout or license ✦✦Ongoing maintenance of technical guidance Personnel ✦✦Developers (1-2 days/yr) ✦✦Architects (1-2 days/yr) Related Levels ✦✦Policy & Compliance - 2 ✦✦Security Requirements - 1 ✦✦Secure Architecture - 1 SAMM / The Security Practices - v1.0 Activities 43 EG 2 Education & Guidance Educate all personnel in the software life-cycle with role-specific guidance on secure de...
View Full Document

Ask a homework question - tutors are online