Building Security into Software Development
Posted by Barb on 10th September 2009
Recently I attended a seminar sponsored by OWASP. The seminar focused on various aspects of application security. The seminar was well organized and the speakers were very good, it was an excellent way to spend an afternoon. OWASP has chapters in many locations around the world and if you have an interest or passion in security topics, I would encourage you to check them out.
With cybercrime on the rise and the economic downturn straining scarce resources I think it is critical to try to strike the right balance between investment and acceptable risk. The probability of the risk, the potential impact, and the cost to mitigate the risk all need to be considered when determining where to target your scarce resources. There is a multitude of frameworks, methodologies, and approaches that have been successfully used. One of the presenters provided at the seminar presented an overview of a framework called SAMM. SAMM is a flexible and prescriptive framework for building security into a software development organization. I found the framework intriguing and thought it could be used as a tool to go beyond compliance and used as a tool to build a balanced software security assurance program. It is not a silver bullet or a one size fits all solution, but it is a tool that you can use as part of your overall toolkit.
The entire guide is available for download at their website. I have not had an opportunity to read it in its entirety, but following is a brief overview based on the material presented at OWASP. As an open project, SAMM content is vendor-neutral and freely available for all to use.
SAMM covers more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that’s aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization’s effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program.
The resources provided by SAMM will aid in:
· Evaluating an organization’s existing software security practices
· Building a balanced software security program in well-defined iterations
· Demonstrating concrete improvements to a security assurance program
· Defining and measuring security-related activities within an organization
I hope you find this resource useful as you build or elevate your current security assurance program.
Tags: Technology
Posted in Technology | No Comments »