Code review the code review cr practice is focused on

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: of designs and enforcement of baseline expectations for conducting design assessments and reviewing findings before releases are accepted. Code Review The Code Review (CR) Practice is focused on inspection of software at the source code level in order to find security vulnerabilities. Code-level vulnerabilities are generally simple to understand conceptually, but even informed developers can easily make mistakes that leave software open to potential compromise. To begin, an organization uses lightweight checklists and for efficiency, only inspects the most critical software modules. However, as an organization evolves it uses automation technology to dramatically improve coverage and efficacy of code review activities. Sophisticated provision of this Practice involves deeper integration of code review into the development process to enable project teams to find problems earlier.This also enables organizations to better audit and set expectations for code review findings before releases can be made. SAMM / Understanding the Model - v1.0 Security Testing 14 The Security Testing (ST) Practice is focused on inspection of software in the runtime environment in order to find security problems. These testing activities bolster the assurance case for software by checking it in the same context in which it is expected to run, thus making visible operational misconfigurations or errors in business logic that are difficult to otherwise find. Starting with penetration testing and high-level test cases based on the functionality of software, an organization evolves toward usage of security testing automation to cover the wide variety of test cases that might demonstrate a vulnerability in the system. In an advanced form, provision of this Practice involves customization of testing automation to build a battery of security tests covering application-specific concerns in detail. With additional visibility at the organization level, security testing enables organizations to set minimum expectations for security testing results before a project release is accepted. Verification Activities overview Design Review DR ...more on page 58 1 DR 2 DR 3 Objective Support ad hoc reviews of software design to ensure baseline mitigations for known risks Offer assessment services to review software design against comprehensive best practices for security Require assessments and validate artifacts to develop detailed understanding of protection mechanisms Activities A. Identify software attack surface B. Analyze design against known security requirements A. Inspect for complete provision of security mechanisms B. Deploy design review service for project teams A. Develop data-flow diagrams for sensitive resources B. Establish release gates for design review Code Review CR ...more on page 62 1 CR 2 CR 3 Objective Opportunistically find basic code-level vulnerabilities and other high-risk security issues Make code review during development more accurate and efficient through automation Man...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online