Conduct technical security awareness training bbuild

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: in the software life-cycle with role-specific guidance on secure development Mandate comprehensive security training and certify personnel for baseline knowledge Activities A. Conduct technical security awareness training B. Build and maintain technical guidelines A. Conduct role-specific application security training B. Utilize security coaches to enhance project teams A. Create formal application security support portal B. Establish role-based examination/certification SAMM / Understanding the Model - v1.0 EG ...more on page 42 11 Construction Description of Security Practices Threat Assessment The Threat Assessment (TA) Practice is centered on identification and understanding the project-level risks based on the functionality of the software being developed and characteristics of the runtime environment. From details about threats and likely attacks against each project, the organization as a whole operates more effectively through better decisions about prioritization of initiatives for security. Additionally, decisions for risk acceptance are more informed, therefore better aligned to the business. By starting with simple threat models and building to more detailed methods of threat analysis and weighting, an organization improves over time. Ultimately, a sophisticated organization would maintain this information in a way that is tightly coupled to the compensating factors and pass-through risks from external entities. This provides greater breadth of understanding for potential downstream impacts from security issues while keeping a close watch on the organization’s current performance against known threats. Security Requirements The Security Requirements (SR) Practice is focused on proactively specifying the expected behavior of software with respect to security. Through addition of analysis activities at the project level, security requirements are initially gathered based on the high-level business purpose of the software.As an organization advances, more advanced techniques are used such as access control specifications to discover new security requirements that may not have been initially obvious to development. In a sophisticated form, provision of this Practice also entails pushing the security requirements of the organization into its relationships with suppliers and then auditing projects to ensure all are adhering to expectations with regard to specification of security requirements. SAMM / Understanding the Model - v1.0 Secure Architecture 12 The Secure Architecture (SA) Practice is focused on proactive steps for an organization to design and build secure software by default. By enhancing the software design process with reusable services and components, the overall security risk from software development can be dramatically reduced. Beginning from simple recommendations about software frameworks and explicit consideration of secure design principles, an organization evolves toward consistently using design patterns for security functionality. Also, activities encourage project teams to increased utilization of centralized security services and infrastructure. As an org...
View Full Document

Ask a homework question - tutors are online