This preview shows page 1. Sign up to view the full content.
Unformatted text preview: st of approved development frameworks;
✦Enhance the existing threat modeling
process used within VirtualWare;
✦Adopt an incident response plan and prepare
a security disclosure process;
✦Introduce Change Management procedures
and formal guidelines for all projects.
To coincide with the introduction of automated tools for developers (from the previous phase), formal technical guidance on secure
coding techniques was introduced into the organization.These were
specific technical documents relating to languages and technology
and provided guidance on secure coding techniques in each relevant
With a combined approach from the education and awareness programs, technical guidance and then the introduction of automation
tools to help the developers, VirtualWare started to see a visible
difference in the code being delivered into production versions of
their applications. Developers provided positive feedback on the
tools and education made available to them under the program.
For the first time in VirtualWare project teams became responsible
for their security and design of their application platforms. During this phase a formal review process and validation against best
practices were performed by each team. Some teams identified gaps
relating to both security and business design that needed to be
reviewed. A formal plan was put in place to ensure these gaps were
A formal incident response plan and change management procedures were introduced during this phase of the project. This was a
difficult process to implement, and VirtualWare teams initially struggled with the process as the impact on culture and the operational
side of the business was significant. However over time each team
member identified the value in the new process and the changes
were accepted by the team over the implementation period. Implementation Costs
A significant amount of internal resources and costs were invested
in this phase of the project. There were two different types of costs
associated with this phase. Internal Resource Requirements
Internal resource effort used in the creation of content, workshops
and review of application security initiatives within this phase. Effort
is shown in total days per role.
Developer Architect Manager 5 Business
Owner days 7 Security
Auditor days 9 Support
Operations days days days days 6 10
3 Outsourced Resources
Due to the lack of knowledge within VirtualWare, external resources were used to assist with the creation of content, and create/
deliver the processes, guidelines and assist teams.
(Security) 20 days SAMM / Case Studies - v1.0 To achieve these maturity levels VirtualWare implemented a number of programs during this phase of the roll-out. The following initiatives were adopted; 91 Phase 4 (Months 9 – 12) – Governance & Operational Security VirtualWare - Phase 4 The fourth phase of the assurance program implementation within VirtualWare continues on from the
previous phases, by enhancing exist...
View Full Document
- Spring '14