Create review checklists from known security

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: date comprehensive code review process to discover language-level and application-specific risks Activities A. Create review checklists from known security requirements B. Perform point-review of high-risk code A. Utilize automated code analysis tools B. Integrate code analysis into development process A. Customize code analysis for application-specific concerns B. Establish release gates for code review Security Testing 1 ST 2 ST 3 Objective Establish process to perform basic security tests based on implementation and software requirements Make security testing during development more complete and efficient through automation Require applicationspecific security testing to ensure baseline security before deployment Activities A. Derive test cases from known security requirements B. Conduct penetration testing on software releases A. Utilize automated security testing tools B. Integrate security testing into development process A. Employ application-specific security testing automation B. Establish release gates for security testing SAMM / Understanding the Model - v1.0 ST ...more on page 66 15 Deployment Description of Security Practices Vulnerability Management The Vulnerability Management (VM) Practice is focused on the processes within an organization with respect to handling vulnerability reports and operational incidents. By having these processes in place, an organization’s projects will have consistent expectations and increased efficiency for handling these events, rather than chaotic and uninformed responses. Starting from lightweight assignment of roles in the event of an incident, an organization grows into a more formal incident response process that ensures visibility and tracking on issues that occur. Communications are also improved to improve overall understanding of the processes. In an advanced form, vulnerability management involves thorough dissecting of incidents and vulnerability reports to collect detailed metrics and other root-cause information to feedback into the organization’s downstream behavior. Environment Hardening The Environment Hardening (EH) Practice is focused on building assurance for the runtime environment that hosts the organization’s software. Since secure operation of an application can be deteriorated by problems in external components, hardening this underlying infrastructure directly improves the overall security posture of the software. By starting with simple tracking and distributing of information about the operating environment to keep development teams better informed, an organization evolves to scalable methods for managing deployment of security patches and instrumenting the operating environment with early-warning detectors for potential security issues before damage is done. As an organization advances, the operating environment is further reviewed and hardened by deployment of protection tools to add layers of defenses and safety nets to limit damage in case any vulnerabilities are exploited. SAMM / Understanding the Model - v1.0 Operational Enablement 16 The Operational Enablement (OE) Practice is focused on gathering security critical information f...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online