Does your organization understand and document the

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ing good business decisions regarding application security. Results ✦✦Efficient remediation of vulnerabilities in both ongoing and legacy code bases ✦✦Quickly understand and mitigate against new attacks and threats ✦✦Judge security-savvy of staff and measure against a common standard ✦✦Establish fair incentives toward security awareness Add’l Success Metrics ✦✦>80% staff certified within past 1 year Add’l Costs ✦✦Certification examination build-out or license ✦✦Ongoing maintenance and change control for application security support portal ✦✦Human-resources and overhead cost for implementing employee certification Add’l Personnel ✦✦Developers (1 day/yr) ✦✦Architects (1 day/yr) ✦✦Managers (1 day/yr) ✦✦Business Owners (1 day/yr) ✦✦QA Testers (1 day/yr) ✦✦Security Auditors (1 day/yr) Related Levels ✦✦Policy & Compliance - 2 & 3 SAMM / The Security Practices - v1.0 Activities 45 Threat Assessment TA 1 TA 2 TA 3 Increase accuracy of threat assessment and improve granularity of perproject understanding Concretely tie compensating controls to each threat against internal and third-party software A. Build and maintain applicationspecific threat models B. Develop attacker profile from software architecture A. Build and maintain abusecase models per project B. Adopt a weighting system for measurement of threats A. Explicitly evaluate risk from third-party components B. Elaborate threat models with compensating controls Assessment ✦✦Do most projects in your organization consider and document likely threats? ✦✦Does your organization understand and document the types of attackers it faces? ✦✦Do project teams regularly analyze functional requirements for likely abuses? ✦✦Do project teams use a method of rating threats for relative comparison? ✦✦Are stakeholders aware of relevant threats and ratings? ✦✦Do project teams specifically consider risk from external software? ✦✦Are all protection mechanisms and controls captured and mapped back to threats? Results 46 Identify and understand high-level threats to the organization and individual projects Activities SAMM / The Security Practices - v1.0 Objective ✦✦High-level understanding of factors that may lead to negative outcomes ✦✦Increased awareness of threats amongst project teams ✦✦Inventory of threats for your organization ✦✦Granular understanding of likely threats to individual projects ✦✦Framework for better tradeoff decisions within project teams ✦✦Ability to prioritize development efforts within a project team based on risk weighting ✦✦Deeper consideration of full threat profile for each software project ✦✦Detailed mapping of assurance features to established threats against each software project ✦✦Artifacts to document due diligence based on business function of each software project Threat Assessment TA 1 Identify and understand high-level threats to the organization and individual projects A. Build and maintain application-specific threat models Based purely on the business purpose of eac...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online