This preview shows page 1. Sign up to view the full content.
Unformatted text preview: the artifacts created from the design process to ensure provision of adequate security mechanisms and adherence to an
organization’s expectations for security. an organization’s source code to aid vulnerability discovery and related mitigation
activities as well as establish a baseline for
secure coding expectations. organization’s software in its runtime environment in order to both discover vulnerabilities and establish a minimum standard
for software releases. Maturity Levels Notation Each of the twelve Security Practices has three defined Maturity Levels and an implicit
starting point at zero. The details for each level differs between the Practices, but they
generally represent: Throughout this document, the following
capitalized terms will be reserved words
that refer to the SAMM components defined in this section. If these terms appear
without capitalization, they should be interpreted based on the their context: 0
3 Implicit starting point representing the activities in the Practice being unfulfilled
Initial understanding and ad hoc provision of Security Practice
Increase efficiency and/or effectiveness of the Security Practice ✦Business Function also as Function
✦Security Practice also as Practice
✦Maturity Level also as Level, Objective
✦ SAMM / Understanding the Model - v1.0 De plo
t ion Con stru ctio n Gov erna nce all strategic direction of the software assurance program and instrumentation of
processes and activities to collect metrics
about an organization’s security posture. Comprehensive mastery of the Security Practice at scale
Description of Security Practices Strategy & Metrics
The Strategy & Metrics (SM) Practice is focused on establishing the framework within an organization
for a software security assurance program. This is the most fundamental step in defining security goals
in a way that’s both measurable and aligned with the organization’s real business risk.
By starting with lightweight risk profiles, an organization grows into more advanced risk classification
schemes for application and data assets over time. With additional insight on relative risk measures,
an organization can tune its project-level security goals and develop granular roadmaps to make the
security program more efficient.
At the more advanced levels within this Practice, an organization draws upon many data sources, both
internal and external, to collect metrics and qualitative feedback on the security program. This allows
fine tuning of cost outlay versus the realized benefit at the program level. Policy & Compliance
The Policy & Compliance (PC) Practice is focused on understanding and meeting external legal and
regulatory requirements while also driving internal security standards to ensure compliance in a way
that’s aligned with the business purpose of the organization.
A driving theme for improvement within this Practice is focus on project-level audits that gather information about the organization’s be...
View Full Document
This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.
- Spring '14