Project overhead from buildout and maintenance of

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: - 1 SAMM / The Security Practices - v1.0 Determine industry best-practices that project teams should treat as requirements. These can be chosen from publicly available guidelines, internal or external guidelines/standards/ policies, or established compliance requirements. 51 SR 2 Security Requirements Increase granularity of security requirements derived from business logic and known risks Activities Results A. Build an access control matrix for resources and capabilities ✦✦Detailed understanding of attack scenarios against business logic ✦✦Prioritized development effort for security features based on likely attacks ✦✦More educated decisionmaking for tradeoffs between features and security efforts ✦✦Stakeholders that can better avoid functional requirements that inherently have security flaws Based upon the business purpose of the application, identify user and operator roles. Additionally, build a list of resources and capabilities by gathering all relevant data assets and application-specific features that are guarded by any form of access control. Add’l Success Metrics This permission matrix will serve as an artifact to document the correct access control rights for the business logic of the overall system. As such, it should be created by the project teams with input from business stakeholders. After initial creation, it should be updated by business stakeholders before every release, but usually toward the beginning of the design phase. ✦✦>75% of all projects with updated abusecase models within past 6 months Add’l Costs In a simple matrix with roles on one axis and resources on the other, consider the relationships between each role and each resource and note in each intersection the correct behavior of the system in terms of access control according to stakeholders. For data resources, it is important to note access rights in terms of creation, read access, update, and deletion. For resources that are features, gradation of access rights will likely be application-specific, but at a minimum note if the role should be permitted access to the feature. ✦✦Project overhead from buildout and maintenance of abuse-case models B. Specify security requirements based on known risks Add’l Personnel Explicitly review existing artifacts that indicate organization or project-specific security risk in order to better understand the overall risk profile for the software. When available, draw on resources such as the high-level business risk profile, individual application threat models, findings from design review, code review, security testing, etc. ✦✦Security Auditor (2 days/yr) ✦✦Managers (1 day/yr) ✦✦Architects (2 days/yr) ✦✦Business Owners (1 day/yr) Related Levels SAMM / The Security Practices - v1.0 ✦✦Threat Assessment - 1 & 3 ✦✦Strategy & Metrics - 1 52 In addition to review of existing artifacts, use abuse-case models for an application to serve as fuel for identification of concrete security requirements that directly or indirectly mitigate the abuse scenarios. This process should be conducted by busin...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online