This preview shows page 1. Sign up to view the full content.
Unformatted text preview: v1.0 Results 42 Education & Guidance EG 1 Offer development staff access to resources around the topics of secure programming and deployment A. Conduct technical security awareness training
Either internally or externally sourced, conduct security training for technical staff that covers the basic tenets of application security. Generally, this can be accomplished via instructorled training in 1-2 days or via computer-based training with modules taking about the same
amount of time per developer.
Course content should cover both conceptual and technical information. Appropriate topics
include high-level best practices surrounding input validation, output encoding, error handling, logging, authentication, authorization. Additional coverage of commonplace software
vulnerabilities is also desirable such as a Top 10 list appropriate to the software being developed (web applications, embedded devices, client-server applications, back-end transaction
systems, etc.). Wherever possible, use code samples and lab exercises in the specific programming language(s) that applies.
To rollout such training, it is recommended to mandate annual security training and then
hold courses (either instructor-led or computer-based) as often as required based on development head-count. B. Build and maintain technical guidelines
For development staff, assemble a list of approved documents, web pages, and technical notes
that provide technology-specific security advice. These references can be assembled from
many publicly available resources on the Internet. In cases where very specialized or proprietary technologies permeate the development environment, utilize senior, security-savvy
staff to build security notes over time to create such a knowledge base in an ad hoc fashion.
Ensure management is aware of the resources and briefs oncoming staff about their expected usage.Try to keep the guidelines lightweight and up-to-date to avoid clutter and irrelevance. Once a comfort-level has been established, they can be used as a qualitative checklist
to ensure that the guidelines have been read, understood, and followed in the development
✦✦Increased developer awareness on the
most common problems at the code level
✦✦Maintain software with rudimentary
security best-practices in place
✦✦Set baseline for security knowhow among technical staff
✦✦Enable qualitative security checks
for baseline security knowledge Success Metrics
✦✦>50% development staff briefed on
security issues within past 1 year
✦✦>75% senior development/
architect staff briefed on security
issues within past 1 year
✦✦Launch technical guidance within
3 months of first training Costs
✦✦Training course buildout or license
✦✦Ongoing maintenance of
technical guidance Personnel
✦✦Developers (1-2 days/yr)
✦✦Architects (1-2 days/yr) Related Levels
✦✦Policy & Compliance - 2
✦✦Security Requirements - 1
✦✦Secure Architecture - 1
SAMM / The Security Practices - v1.0 Activities 43 EG 2 Education & Guidance Educate all personnel in the software life-cycle with role-specific guidance on secure de...
View Full Document
- Spring '14