This preview shows page 1. Sign up to view the full content.
Unformatted text preview: - 1
SAMM / The Security Practices - v1.0 Determine industry best-practices that project teams should treat as requirements. These
can be chosen from publicly available guidelines, internal or external guidelines/standards/
policies, or established compliance requirements. 51 SR 2 Security Requirements Increase granularity of security requirements derived from business logic and known risks Activities
Results A. Build an access control matrix for resources and capabilities ✦✦Detailed understanding of attack
scenarios against business logic
✦✦Prioritized development effort for
security features based on likely attacks
✦✦More educated decisionmaking for tradeoffs between
features and security efforts
✦✦Stakeholders that can better
avoid functional requirements that
inherently have security flaws Based upon the business purpose of the application, identify user and operator roles. Additionally, build a list of resources and capabilities by gathering all relevant data assets and
application-specific features that are guarded by any form of access control. Add’l Success Metrics This permission matrix will serve as an artifact to document the correct access control
rights for the business logic of the overall system. As such, it should be created by the project
teams with input from business stakeholders. After initial creation, it should be updated by
business stakeholders before every release, but usually toward the beginning of the design
phase. ✦✦>75% of all projects with updated abusecase models within past 6 months Add’l Costs In a simple matrix with roles on one axis and resources on the other, consider the relationships between each role and each resource and note in each intersection the correct behavior of the system in terms of access control according to stakeholders.
For data resources, it is important to note access rights in terms of creation, read access,
update, and deletion. For resources that are features, gradation of access rights will likely
be application-specific, but at a minimum note if the role should be permitted access to the
feature. ✦✦Project overhead from buildout and
maintenance of abuse-case models B. Specify security requirements based on known risks Add’l Personnel Explicitly review existing artifacts that indicate organization or project-specific security risk
in order to better understand the overall risk profile for the software. When available, draw
on resources such as the high-level business risk profile, individual application threat models,
findings from design review, code review, security testing, etc. ✦✦Security Auditor (2 days/yr)
✦✦Managers (1 day/yr)
✦✦Architects (2 days/yr)
✦✦Business Owners (1 day/yr) Related Levels SAMM / The Security Practices - v1.0 ✦✦Threat Assessment - 1 & 3
✦✦Strategy & Metrics - 1 52 In addition to review of existing artifacts, use abuse-case models for an application to serve
as fuel for identification of concrete security requirements that directly or indirectly mitigate
the abuse scenarios.
This process should be conducted by busin...
View Full Document
This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.
- Spring '14