This preview shows page 1. Sign up to view the full content.
Unformatted text preview: in
the software life-cycle with
role-specific guidance on
secure development Mandate comprehensive
security training and
certify personnel for
baseline knowledge Activities A. Conduct technical security
B. Build and maintain
technical guidelines A. Conduct role-specific
application security training
B. Utilize security coaches to
enhance project teams A. Create formal application
security support portal
B. Establish role-based
examination/certification SAMM / Understanding the Model - v1.0 EG ...more on page 42 11 Construction
Description of Security Practices Threat Assessment
The Threat Assessment (TA) Practice is centered on identification and understanding the project-level
risks based on the functionality of the software being developed and characteristics of the runtime
environment. From details about threats and likely attacks against each project, the organization as a
whole operates more effectively through better decisions about prioritization of initiatives for security.
Additionally, decisions for risk acceptance are more informed, therefore better aligned to the business.
By starting with simple threat models and building to more detailed methods of threat analysis and
weighting, an organization improves over time. Ultimately, a sophisticated organization would maintain
this information in a way that is tightly coupled to the compensating factors and pass-through risks from
external entities. This provides greater breadth of understanding for potential downstream impacts
from security issues while keeping a close watch on the organization’s current performance against
known threats. Security Requirements
The Security Requirements (SR) Practice is focused on proactively specifying the expected behavior
of software with respect to security. Through addition of analysis activities at the project level, security
requirements are initially gathered based on the high-level business purpose of the software.As an organization advances, more advanced techniques are used such as access control specifications to discover
new security requirements that may not have been initially obvious to development.
In a sophisticated form, provision of this Practice also entails pushing the security requirements of the
organization into its relationships with suppliers and then auditing projects to ensure all are adhering
to expectations with regard to specification of security requirements. SAMM / Understanding the Model - v1.0 Secure Architecture 12 The Secure Architecture (SA) Practice is focused on proactive steps for an organization to design and
build secure software by default. By enhancing the software design process with reusable services and
components, the overall security risk from software development can be dramatically reduced.
Beginning from simple recommendations about software frameworks and explicit consideration of
secure design principles, an organization evolves toward consistently using design patterns for security
functionality. Also, activities encourage project teams to increased utilization of centralized security
services and infrastructure.
As an org...
View Full Document
- Spring '14