Therefore building a roadmap entails selection of

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: d-out of an assurance program is simple. An organization begins an improvement phases and works to achieve the stated Levels by performing the prescribed Activities. At the end of the phase, the roadmap should be adjusted based on what was actually accomplished, and then the next phase can begin. Education & Guidance E Roadmaps (pictured to the right) consist of phases (the vertical bars) in which several Practices are each improved by one Level. Therefore, building a roadmap entails selection of which Practices to improve in each planned phase. Organizations are free to plan into the future as far as they wish, but are encouraged to iterate based on business drivers and organization-specific information to ensure the assurance goals are commensurate with their business goals and risk tolerance. Policy & Compliance PL Several roadmap templates for common types of organizations are provided. Thus, many organizations can choose an appropriate match and then tailor the roadmap template to their needs. For other types of organizations, it may be necessary to build a custom roadmap. Strategy & Metrics AM One of the main uses of SAMM is to help organizations build software security assurance programs. That process is straightforward, and generally begins with an assessment if the organization is already performing some security assurance activities. Code Review yes Select appropriate roadmap Security Testing Vulnerability Management no Done yes Select Practices to improve Mark selected improvements on roadmap Adjust roadmap to organization Environment Hardening Operational Enablement SAMM / Applying the Model - v1.0 Adding another phase? 27 Independent Software Vendor Roadmap template Rationale Phase 1 Phase 2 Phase 3 Phase 4 Strategy & Metrics Policy & Compliance Education & Guidance Threat Assessment Security Requirements Secure Architecture Design Review Code Review SAMM / Applying the Model - v1.0 Security Testing 28 Vulnerability Management Environment Hardening Operational Enablement An Independent Software Vendor involves the core business function of building and selling software components and applications. Initial drivers to limit common vulnerabilities affecting customers and users leads to early concentration on Code Review and Security Testing activities. Shifting toward more proactive prevention of security errors in product specification, an organization adds activities for Security Requirements over time. Also, to minimize the impact from any discovered security issues, the organization ramps up Vulnerability Management activities over time. As the organization matures, knowledge transfer activities from Operational Enablement are added to better inform customers and users about secure operation of the software. Additional Considerations Outsourced Development For organizations using external development resources, restrictions on code access typically leads to prioritization of Security Requirements activities instead of Code Review activities. Additionally, advancing Threat Assessment in earlier phases would allow the organization to better clarify secur...
View Full Document

Ask a homework question - tutors are online