There is minimal to no guidance from the it

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: nization. An organization must follow safe key management processes to ensure the ongoing confidentiality of the signing keys. When dealing with any cryptographic keys, project stakeholders must also consider plans for dealing with common operational problems related to cryptography such as key rotation, key compromise, or key loss. Since code signing is not appropriate for everything, architects and developers should work with security auditors and business stakeholders to determine which parts of the software should be signed. As projects evolve, this list should be reviewed with each release, especially when adding new modules or making changes to previously signed components. Results ✦✦Organization-wide understanding of expectations for securityrelevant documentation ✦✦Stakeholders better able to make tradeoff decisions based on feedback from deployment and operations ✦✦Operators and/or users able to independently verify integrity of software releases Add’l Success Metrics ✦✦>80% of projects with updated operational security guide in last 6 months ✦✦>80% of stakeholders briefed on code signing options and status in past 6 months Add’l Costs ✦✦Ongoing project overhead from audit of operational guides ✦✦Ongoing organization overhead from management of code signing credentials ✦✦Ongoing project overhead from identification and signing of code modules. Add’l Personnel ✦✦Developers (1 days/yr) ✦✦Architects (1 days/yr) ✦✦Managers (1 days/yr) ✦✦Security Auditors (1-2 days/yr) Related Levels ✦✦ SAMM / The Security Practices - v1.0 Activities 81 Case Studies A walkthrough of example scenarios This section features a selection of scenarios in which the application of SAMM is explained in the context of a specific business case. Using the roadmap templates as a guide, the case studies tell the story of how an organization might adapt best practices and take into account organization-specific risks when building a security assurance program. VirtualWare Case Study: Medium-sized Independent Software Vendor Business Profile Environment VirtualWare is a leader within their market for providing integrated virtualized application platforms to help organizations consolidate their application interfaces into a single environment. Their technology is provided as a server application and desktop client built for multiple environments including Microsoft, Apple and Linux platforms. VirtualWare develops their virtualization technology on a mixture of Java, C++ and Microsoft .NET technology. Their core application virtualization technology has been written in C++ and has had a number of reviews for bugs and security, but currently no formal processes exists for identifying and fixing known or unknown security bugs. The organization is of medium size (200-1000 employees) and has a global presence around the world with branch offices in most major countries. VirtualWare has chosen to support their web technology on Java, although the back-end systems are built using Mi...
View Full Document

Ask a homework question - tutors are online