Practices v10 activities 79 oe 2 operational

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: projects being audited to check each release for appropriate operational security information? ✦✦Is code signing routinely performed on software components using a consistent process? ✦✦Ad hoc improvements to software security posture through better understanding of correct operations ✦✦Operators and users aware of their role in ensuring secure deployment ✦✦Improved communications between software developers and users for securitycritical information ✦✦Detailed guidance for securityrelevant changes delivered with software releases ✦✦Updated information repository on secure operating procedures per application ✦✦Alignment of operations expectations among developers, operators, and users. ✦✦Organization-wide understanding of expectations for securityrelevant documentation ✦✦Stakeholders better able to make tradeoff decisions based on feedback from deployment and operations ✦✦Operators and/or users able to independently verify integrity of software releases Assessment SAMM / The Security Practices - v1.0 Results 78 Operational Enablement OE 1 Enable communications between development teams and operators for critical security-relevant data A. Capture critical security information for deployment With software-specific knowledge, project teams should identify any security-relevant configuration and operations information and communicate it to users and operators. This enables the actual security posture of software at deployment sites to function in the same way that designers in the project team intended. This analysis should begin with architects and developers building a list of security features built-in to the software. From that list, information about configuration options and their security impact should be captured as well. For projects that offer several different deployment models, information about the security ramifications of each should be noted to better inform users and operators about the impact of their choices. Overall, the list should be lightweight and aim to capture the most critical information. Once initially created, it should be reviewed by the project team and business stakeholders for agreement. Additionally, it is effective to review this list with select operators or users in order to ensure the information is understandable and actionable. Project teams should review and update this information with every release, but must do so at least every 6 months. B. Document procedures for typical application alerts With specific knowledge of ways in which software behaves, project teams should identify the most important error and alert messages which require user/operator attention. From each identified event, information related to appropriate user/operator actions in response to the event should be captured. From the potentially large set of events that the software might generate, select the highest priority set based on relevance in terms of the business purpose of the software.This should include any securit...
View Full Document

Ask a homework question - tutors are online