Developers should be briefed on the goals of

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: er language-level and application-specific risks Activities A. Create review checklists from known security requirements B. Perform point-review of high-risk code A. Utilize automated code analysis tools B. Integrate code analysis into development process A. Customize code analysis for application-specific concerns B. Establish release gates for code review ✦✦Do most project teams have review checklists based on common problems? ✦✦Are project teams generally performing review of selected high-risk code? ✦✦Can most project teams access automated code analysis tools to find security problems? ✦✦Do most stakeholders consistently require and review results from code reviews? ✦✦Do project teams utilize automation to check code against application-specific coding standards? ✦✦Does routine project audit require a baseline for code review results prior to release? ✦✦Inspection for common code vulnerabilities that lead to likely discovery or attack ✦✦Lightweight review for coding errors that lead to severe security impact ✦✦Basic code-level due diligence for security assurance ✦✦Development enabled to consistently self-check for codelevel security vulnerabilities ✦✦Routine analysis results to compile historic data on perteam secure coding habits ✦✦Stakeholders aware of unmitigated vulnerabilities to support better tradeoff analysis ✦✦Increased confidence in accuracy and applicability of code analysis results ✦✦Organization-wide baseline for secure coding expectations ✦✦Project teams with an objective goal for judging code-level security Assessment SAMM / The Security Practices - v1.0 Results 62 Code Review CR 1 Opportunistically find basic code-level vulnerabilities and other high-risk security issues A. Create review checklists from known security requirements From the known security requirements for a project, derive a lightweight code review checklist for security. These can be checks specific to the security concerns surrounding the functional requirements or checks for secure coding best practices based on the implementation language, platform, typical technology stack, etc. Due to these variations, often a set of checklist are needed to cover the different types of software development within an organization. Regardless, of whether created from publicly available resources or purchased, technical stakeholders such as development managers, architects, developers, and security auditors should review the checklists for efficacy and feasibility. It is important to keep the lists short and simple, aiming to catch high-priority issues that are straightforward to find in code either manually or with simple search tools. Code analysis automation tools may also be used to achieve this same end, but should also be customized to reduce the overall set of security checks to a small, valuable set in order to make the scan and review process efficient. Developers should be briefed on the goals of checklists appropriate to their job function. B. Perform point-review of high-risk co...
View Full Document

Ask a homework question - tutors are online