Therefore activities from threat assessment security

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: will generally be strongest within the outsourced group, contracts should be constructed to account for the activities related to Operational Enablement. Web Services Platforms SAMM / Applying the Model - v1.0 Security Testing 30 Vulnerability Management Environment Hardening Operational Enablement For organizations building web services platforms, design errors can carry additional risks and be more costly to mitigate. Therefore, activities from Threat Assessment, Security Requirements, and Secure Architecture should be placed in earlier phases of the roadmap. Organizations Grown by Acquisition In an organization grown by acquisition, there can often be several project teams following different development models with varying degrees of security-related activities incorporated. An organization such as this may require a separate roadmap for each division or project team to account for varying starting points as well as project-specific concerns if a variety of software types are being developed. Government Organization Roadmap template Rationale A Government Organization involves the core business function of being a state-affiliated organization that builds software to support public sector projects. Initially, Governance Practices are established, generally to get an idea of the overall compliance burden for the organization in context of the concrete roadmap for improvement. Because of risks of public exposure and the quantity of legacy code generally in place, early emphasis is given to Security Testing within the Verification Practices and later the more involved Code Review or Design Review Practices are developed. Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Strategy & Metrics Policy & Compliance Similar emphasis is placed on the Construction and Deployment Practices.This helps establish the organization’s management of vulnerabilities and moves toward bolstering the security posture of the operating environment. At the same time, proactive security activities under Construction are built up to help prevent new issues in software under development. Education & Guidance Additional Considerations Threat Assessment Outsourced Development For organizations using external development resources, restrictions on code access typically leads to prioritization of Security Requirements activities instead of Code Review activities. Additionally, advancing Threat Assessment in earlier phases would allow the organization to better clarify security needs to the outsourced developers. Since expertise on software configuration will generally be strongest within the outsourced group, contracts should be constructed to account for the activities related to Operational Enablement. Security Requirements Secure Architecture Web Services Platforms Design Review For organizations building web services platforms, design errors can carry additional risks and be more costly to mitigate. Therefore, activities from Threat Assessment, Security Requirements, and Secure Architecture should be placed in earlier phases of the roadmap. Code Review Regulatory Compliance Security Testing Vulne...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online