Against attacks customized security test suites to

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: rability types and a setting the standard that no project may pass with any corresponding findings. Over time, this baseline standard should be improved by adding additional criteria for passing the checkpoint. Generally, the code review checkpoint should occur toward the end of the implementation phase, but must occur before release. For legacy systems or inactive projects, an exception process should be created to allow those projects to continue operations, but with an explicitly assigned timeframe for mitigation of findings. Exceptions should be limited to no more that 20% of all projects. Results ✦✦Increased confidence in accuracy and applicability of code analysis results ✦✦Organization-wide baseline for secure coding expectations ✦✦Project teams with an objective goal for judging code-level security Add’l Success Metrics ✦✦>50% of projects using code analysis customizations ✦✦>75% of projects passing code review audit in past 6 months Add’l Costs ✦✦Buildout and maintenance of custom code review checks ✦✦Ongoing project overhead from code review audit ✦✦Organization overhead from project delays caused by failed code review audits Add’l Personnel ✦✦Architects (1 day/yr) ✦✦Developers (1 day/yr) ✦✦Security Auditors (1-2 days/yr) ✦✦Business Owners (1 day/yr) ✦✦Managers (1 day/yr) Related Levels ✦✦Policy & Compliance - 2 ✦✦Secure Architecture - 3 SAMM / The Security Practices - v1.0 Activities 65 Security Testing ST 1 ST 2 ST 3 Objective Establish process to perform basic security tests based on implementation and software requirements Make security testing during development more complete and efficient through automation Require applicationspecific security testing to ensure baseline security before deployment Activities A. Derive test cases from known security requirements B. Conduct penetration testing on software releases A. Utilize automated security testing tools B. Integrate security testing into development process A. Employ application-specific security testing automation B. Establish release gates for security testing ✦✦Are projects specifying some security tests based on requirements? ✦✦Do most projects perform penetration tests prior to release? ✦✦Are most stakeholders aware of the security test status prior to release? ✦✦Are projects using automation to evaluate security test cases? ✦✦Do most projects follow a consistent process to evaluate and report on security tests to stakeholders? ✦✦Are security test cases comprehensively generated for application-specific logic? ✦✦Do routine project audits demand minimum standard results from security testing? ✦✦Independent verification of expected security mechanisms surrounding critical business functions ✦✦High-level due diligence toward security testing ✦✦Ad hoc growth of a security test suite for each software project ✦✦Deeper and more consistent verification of software functionality for security ✦✦Development teams enabled to self-check and correct problems before release ✦✦Stakeholders...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online