These serve as frameworks upon which developers can

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: anization evolves over time, sophisticated provision of this Practice entails organizations building reference platforms to cover the generic types of software they build. These serve as frameworks upon which developers can build custom software with less risk of vulnerabilities. Construction Activities overview Threat Assessment TA 1 ...more on page 46 TA 2 TA 3 Objective Identify and understand high-level threats to the organization and individual projects Increase accuracy of threat assessment and improve granularity of perproject understanding Concretely tie compensating controls to each threat against internal and third-party software Activities A. Build and maintain applicationspecific threat models B. Develop attacker profile from software architecture A. Build and maintain abusecase models per project B. Adopt a weighting system for measurement of threats A. Explicitly evaluate risk from third-party components B. Elaborate threat models with compensating controls Security Requirements SR 1 ...more on page 50 SR 2 SR 3 Objective Consider security explicitly during the software requirements process Increase granularity of security requirements derived from business logic and known risks Mandate security requirements process for all software projects and third-party dependencies Activities A. Derive security requirements from business functionality B. Evaluate security and compliance guidance for requirements A. Build an access control matrix for resources and capabilities B. Specify security requirements based on known risks A. Build security requirements into supplier agreements B. Expand audit program for security requirements Secure Architecture 1 SA 2 SA 3 Objective Insert consideration of proactive security guidance into the software design process Direct the software design process toward knownsecure services and secureby-default designs Formally control the software design process and validate utilization of secure components Activities A. Maintain list of recommended software frameworks B. Explicitly apply security principles to design A. Identify and promote security services and infrastructure B. Identify security design patterns from architecture A. Establish formal reference architectures and platforms B. Validate usage of frameworks, patterns, and platforms SAMM / Understanding the Model - v1.0 SA ...more on page 54 13 Verification Description of Security Practices Design Review The Design Review (DR) Practice is focused on assessment of software design and architecture for security-related problems.This allows an organization to detect architecture-level issues early in software development and thereby avoid potentially large costs from refactoring later due to security concerns. Beginning with lightweight activities to build understanding of the security-relevant details about an architecture, an organization evolves toward more formal inspection methods that verify completeness in provision of security mechanisms. At the organization level, design review services are built and offered to stakeholders. In a sophisticated form, provision of this Practice involves detailed, data-level inspection...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online