Unformatted text preview: curity vulnerabilities through their [email protected] address.
However as this was a general support address, existing requests
were not always filtered down to the appropriate teams within the
organization and handled correctly. The need to implement a formal security vulnerability response program was also identified by
VirtualWare. Implementation Strategy
The adoption of a security assurance program within an organization is a long term strategy, and significantly impacts on the culture
of developers and the process taken by the business to develop and
deliver business applications. The adoption of this strategy is set
over a 12 month period, and due to the size of the organization will
be relatively easy to implement in that period. Strategy &
Metrics Policy &
Compliance Education &
Enablement SAMM / Case Studies - v1.0 Key Challenges 85 Phase 1 (Months 0 – 3) – Awareness & Planning VirtualWare - Phase 1 VirtualWare previously identified that they had limited knowledge and awareness of application security
threats to their organization and limited secure coding experience. The first phase of the deployment
within VirtualWare focused on training developers and implementing guidance and programs to identify
current security vulnerabilities.
Development teams within VirtualWare had limited experience in secure coding techniques therefore,
an initial training program was developed that can be provided to the developers within the organization on defensive programming techniques.
With over 300 developers and multiple languages supported within the organization one of the key
challenges for VirtualWare was to provide an education program that was technical enough to teach
developers some of the basic’s in secure coding concepts. The objective of this initial education course
was primarily on coding techniques and testing tools. The course developed and delivered within the
organization lasted for 1 day and covered the basics of secure coding.
VirtualWare was aware that they had a number of applications with vulnerabilities and no real strategy
in which to identify existing vulnerabilities and address the risks in a reasonable time-frame. A basic
risk assessment methodology was adopted and the organization undertook a review of the existing
This phase also included implementing a number of concepts for the development team to enhance
their security tools. The development teams already had a number of tools available to perform quality
type assessments. Additional investigation into code review and security testing tools was performed. Target Objectives
During this phase of the project,VirtualWare implemented the following SAMM Practices & Activities. 1
VM 1 SAMM / Case Studies - v1.0 SM 86 A. Estimate overall business risk profile
B. Build and maintain assurance pr...
View Full Document
- Spring '14