This preview shows page 1. Sign up to view the full content.
Unformatted text preview: of designs and
enforcement of baseline expectations for conducting design assessments and reviewing findings before
releases are accepted. Code Review
The Code Review (CR) Practice is focused on inspection of software at the source code level in order
to find security vulnerabilities. Code-level vulnerabilities are generally simple to understand conceptually, but even informed developers can easily make mistakes that leave software open to potential
To begin, an organization uses lightweight checklists and for efficiency, only inspects the most critical
software modules. However, as an organization evolves it uses automation technology to dramatically
improve coverage and efficacy of code review activities.
Sophisticated provision of this Practice involves deeper integration of code review into the development process to enable project teams to find problems earlier.This also enables organizations to better
audit and set expectations for code review findings before releases can be made. SAMM / Understanding the Model - v1.0 Security Testing 14 The Security Testing (ST) Practice is focused on inspection of software in the runtime environment
in order to find security problems. These testing activities bolster the assurance case for software by
checking it in the same context in which it is expected to run, thus making visible operational misconfigurations or errors in business logic that are difficult to otherwise find.
Starting with penetration testing and high-level test cases based on the functionality of software, an
organization evolves toward usage of security testing automation to cover the wide variety of test cases
that might demonstrate a vulnerability in the system.
In an advanced form, provision of this Practice involves customization of testing automation to build
a battery of security tests covering application-specific concerns in detail. With additional visibility at
the organization level, security testing enables organizations to set minimum expectations for security
testing results before a project release is accepted. Verification
Activities overview Design Review
DR ...more on page 58 1 DR 2 DR 3 Objective Support ad hoc reviews
of software design to
ensure baseline mitigations
for known risks Offer assessment services
to review software design
against comprehensive best
practices for security Require assessments and
validate artifacts to develop
detailed understanding of
protection mechanisms Activities A. Identify software attack surface
B. Analyze design against known
security requirements A. Inspect for complete provision
of security mechanisms
B. Deploy design review
service for project teams A. Develop data-flow diagrams
for sensitive resources
B. Establish release gates
for design review Code Review
CR ...more on page 62 1 CR 2 CR 3 Objective Opportunistically find basic
code-level vulnerabilities and
other high-risk security issues Make code review during
accurate and efficient
through automation Man...
View Full Document
This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.
- Spring '14