Maintain list of recommended software frameworks

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: sment - 3 ✦✦Policy & Compliance - 2 SAMM / The Security Practices - v1.0 Activities 53 Secure Architecture SA 1 SA 2 SA 3 Objective Insert consideration of proactive security guidance into the software design process Direct the software design process toward knownsecure services and secureby-default designs Formally control the software design process and validate utilization of secure components Activities A. Maintain list of recommended software frameworks B. Explicitly apply security principles to design A. Identify and promote security services and infrastructure B. Identify security design patterns from architecture A. Establish formal reference architectures and platforms B. Validate usage of frameworks, patterns, and platforms Assessment ✦✦Are project teams provided with a list of recommended third-party components? ✦✦Are most project teams aware of secure design principles and applying them? ✦✦Do you advertise shared security services with guidance for project teams? ✦✦Are project teams provided with prescriptive design patterns based on their application architecture? ✦✦Are project teams building software from centrally controlled platforms and frameworks? ✦✦Are project teams being audited for usage of secure architecture components? ✦✦Ad hoc prevention of unexpected dependencies and one-off implementation choices ✦✦Stakeholders aware of increased project risk due to libraries and frameworks chosen ✦✦Established protocol within development for proactively applying security mechanisms to a design ✦✦Detailed mapping of assets to user roles to encourage better compartmentalization in design ✦✦Reusable design building blocks for provision of security protections and functionality ✦✦Increased confidence for software projects from use of established design techniques for security ✦✦Customized application development platforms that provide built-in security protections ✦✦Organization-wide expectations for proactive security effort in development ✦✦Stakeholders better able to make tradeoff decisions based on business need for secure design SAMM / The Security Practices - v1.0 Results 54 Secure Architecture SA 1 Insert consideration of proactive security guidance into the software design process A. Maintain list of recommended software frameworks Across software projects within the organization identify commonly used third-party software libraries and frameworks in use. Generally, this need not be an exhaustive search for dependencies, but rather focus on capturing the high-level components that are most often used. From the list of components, group them into functional categories based on the core features provided by the third-party component. Also, note the usage prevalence of each component across project teams to weight the reliance upon the third-party code. Using this weighted list as a guide, create a list of components to be advertised across the development organization as recommended components. Several factors should contribute to decisions for inclusion on the recommended list. Although a list can be created without conducting research specifically, it is advisable to inspect each for incident history, track record for responding to vulnerabilities, appropriateness of functionality for the organization, excessive complex...
View Full Document

Ask a homework question - tutors are online