An organizations source code to aid vulnerability

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: the artifacts created from the design process to ensure provision of adequate security mechanisms and adherence to an organization’s expectations for security. an organization’s source code to aid vulnerability discovery and related mitigation activities as well as establish a baseline for secure coding expectations. organization’s software in its runtime environment in order to both discover vulnerabilities and establish a minimum standard for software releases. Maturity Levels Notation Each of the twelve Security Practices has three defined Maturity Levels and an implicit starting point at zero. The details for each level differs between the Practices, but they generally represent: Throughout this document, the following capitalized terms will be reserved words that refer to the SAMM components defined in this section. If these terms appear without capitalization, they should be interpreted based on the their context: 0 1 2 3 Implicit starting point representing the activities in the Practice being unfulfilled Initial understanding and ad hoc provision of Security Practice Increase efficiency and/or effectiveness of the Security Practice ✦Business Function also as Function ✦ ✦Security Practice also as Practice ✦ ✦Maturity Level also as Level, Objective ✦ SAMM / Understanding the Model - v1.0 De plo ym ent Ver ifica t ion Con stru ctio n Gov erna nce all strategic direction of the software assurance program and instrumentation of processes and activities to collect metrics about an organization’s security posture. Comprehensive mastery of the Security Practice at scale 9 Governance Description of Security Practices Strategy & Metrics The Strategy & Metrics (SM) Practice is focused on establishing the framework within an organization for a software security assurance program. This is the most fundamental step in defining security goals in a way that’s both measurable and aligned with the organization’s real business risk. By starting with lightweight risk profiles, an organization grows into more advanced risk classification schemes for application and data assets over time. With additional insight on relative risk measures, an organization can tune its project-level security goals and develop granular roadmaps to make the security program more efficient. At the more advanced levels within this Practice, an organization draws upon many data sources, both internal and external, to collect metrics and qualitative feedback on the security program. This allows fine tuning of cost outlay versus the realized benefit at the program level. Policy & Compliance The Policy & Compliance (PC) Practice is focused on understanding and meeting external legal and regulatory requirements while also driving internal security standards to ensure compliance in a way that’s aligned with the business purpose of the organization. A driving theme for improvement within this Practice is focus on project-level audits that gather information about the organization’s be...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online