B establish release gates for code review to set a

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ign-off in past 6 months ✦✦>80% of projects with access to automated code review results in past 1 month B. Integrate code analysis into development process Add’l Costs ✦✦Research and selection of code analysis solution ✦✦Initial cost and maintenance of automation integration ✦✦Ongoing project overhead from automated code review and mitigation Add’l Personnel ✦✦Developers (1-2 days/yr) ✦✦Architects (1 day/yr) ✦✦Managers (1-2 days/yr) ✦✦Security Auditors (3-4 days/yr) SAMM / The Security Practices - v1.0 Related Levels 64 ✦✦ Once a code analysis solution is selected, it must be integrated into the development process to encourage project teams to utilize its capabilities. An effective way to accomplish this is to setup the infrastructure for the scans to run automatically at build time or from code in the project’s code repository. In this fashion, results are available earlier thus enabling development teams to self-check along the way before release. A potential problem with legacy systems or large ongoing projects is that code scanners will typically report findings in modules that were not being updated in the release. If automatic scanning is setup to run periodically, an effective strategy to avoid review overhead is to limit consideration of findings to those that have been added, removed, or changed since the previous scan. If is critical to not ignore the rest of the results however, so development managers should take input from security auditors, stakeholders, and the project team to formulate a concrete plan for addressing the rest of the findings. If unaddressed findings from code review remain at release, these must be reviewed and accepted by project stakeholders. Code Review CR 3 Mandate comprehensive code review process to discover language-level and application-specific risks A. Customize code analysis for application-specific concerns Code scanning tools are powered by built-in a knowledge-base of rules to check code based on language APIs and commonly used libraries, but have limited ability to understand custom APIs and designs to apply analogous checks. However, through customization, a code scanner can be a powerful, generic analysis engine for finding organization and project-specific security concerns. While details vary between tools in terms of ease and power of custom analysis, code scanner customization generally involves specifying checks to be performed at specific APIs and function call sites. Checks can include analysis for adherence to internal coding standards, unchecked tainted data being passed to custom interfaces, tracking and verification of sensitive data handling, correct usage of an internal API, etc. Checkers for usage of shared code-bases are an effective place to begin scanner customizations since the created checkers can be utilized across multiple projects.To customize a tool for a code-base, a security auditor should inspect both code and high-level design to identify candidate checkers to discuss with development staff and stakeholders for implementation. B. Establish release gates for code review To set a code-level security baseline for all software projects, a particular point in the software development life-cycle should be established as a checkpoint where a minimum standard for code review results must be met in order to make a release. To begin, this standard should be straightforward to meet, for example by choosing one or two vulne...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online