Unformatted text preview: date comprehensive
code review process to
discover language-level and
application-specific risks Activities A. Create review checklists from
known security requirements
B. Perform point-review
of high-risk code A. Utilize automated code
B. Integrate code analysis into
development process A. Customize code analysis for
B. Establish release gates
for code review Security Testing 1 ST 2 ST 3 Objective Establish process to perform
basic security tests based
on implementation and
software requirements Make security testing
during development more
complete and efficient
through automation Require applicationspecific security testing to
ensure baseline security
before deployment Activities A. Derive test cases from known
B. Conduct penetration testing
on software releases A. Utilize automated
security testing tools
B. Integrate security testing
into development process A. Employ application-specific
security testing automation
B. Establish release gates
for security testing SAMM / Understanding the Model - v1.0 ST ...more on page 66 15 Deployment
Description of Security Practices Vulnerability Management
The Vulnerability Management (VM) Practice is focused on the processes within an organization with
respect to handling vulnerability reports and operational incidents. By having these processes in place,
an organization’s projects will have consistent expectations and increased efficiency for handling these
events, rather than chaotic and uninformed responses.
Starting from lightweight assignment of roles in the event of an incident, an organization grows into a
more formal incident response process that ensures visibility and tracking on issues that occur. Communications are also improved to improve overall understanding of the processes.
In an advanced form, vulnerability management involves thorough dissecting of incidents and vulnerability reports to collect detailed metrics and other root-cause information to feedback into the organization’s downstream behavior. Environment Hardening
The Environment Hardening (EH) Practice is focused on building assurance for the runtime environment that hosts the organization’s software. Since secure operation of an application can be deteriorated by problems in external components, hardening this underlying infrastructure directly improves
the overall security posture of the software.
By starting with simple tracking and distributing of information about the operating environment to
keep development teams better informed, an organization evolves to scalable methods for managing
deployment of security patches and instrumenting the operating environment with early-warning detectors for potential security issues before damage is done.
As an organization advances, the operating environment is further reviewed and hardened by deployment of protection tools to add layers of defenses and safety nets to limit damage in case any vulnerabilities are exploited. SAMM / Understanding the Model - v1.0 Operational Enablement 16 The Operational Enablement (OE) Practice is focused on gathering security critical information f...
View Full Document
This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.
- Spring '14