software assurance maturity model (SAMM) analysis can provide a benchmark for ... for improvement. Posted: sponsored by Hewlett-Packard pany WHITE PAPER: IDC ...
Software Assurance Maturity Model Pravir Chandra OpenSAMM Project Lead Agenda ? Review of existing secure SDLC efforts ? Understanding the model ? Applying the model ? SAMM and the real world By the end, you’ll be able to... ? ? Evaluate an organization’s existing software security practices Build a balanced software security assurance program in well-defined iterations Demonstrate concrete improvements to a security assurance program Define and measure security-related activities throughout an organization ? ? Review of existing secure SDLC efforts CLASP ? ? ? ? ? ? ? Comprehensive, Lightweight Application Security Process Centered around 7 AppSec Best Practices Cover the entire software lifecycle (not just development) Defines roles across the SDLC 24 role-based process components Adaptable to any development process Start small and dial-in to your needs Microsoft SDL ? Built internally for MS software ? Extended and made public for others ? MS-only versions since public release Touchpoints ? Gary McGraw’s and Cigital’s model Lessons Learned ? ? ? ? ? ? ? Microsoft SDL Heavyweight, good for large ISVs High-level, not enough details to execute against Large collection of activities, but no priority ordering Touchpoints CLASP ALL: Good for experts to use as a guide, but hard for non-security folks to use off the shelf Drivers for a Maturity Model ? ? ? ? ? ? An organization’s behavior changes slowly over time Changes must be iterative while working toward longterm goals A solution must enable risk-based choices tailor to the organization There is no single recipe that works for all organizations ? Guidance related to security activities must be prescriptive A solution must provide enough details for nonsecurity-people Overall, must be simple, well-defined, and measurable Understanding the model SAMM Business Functions ?Start with the core activities tied to any organization performing software development ?Named generically, but should resonate with any developer or manager SAMM Security Practices ? ? ? From each of the Business Functions, 3 Security Practices are defined The Security Practices cover all areas relevant to software security assurance Each one is a ‘silo’ for improvement Under each Security Practice ? ? ? ? ? ? ? Three successive Objectives under each Practice define how it can be improved over time This establishes a notion of a Level at which an organization fulfills a given Practice (0: Implicit starting point with the Practice unfulfilled) 1: Initial understanding and ad hoc provision of the Practice 2: Increase efficiency and/or effectiveness of the Practice The three Levels for a Practice generally correspond to: 3: Comprehensive mastery of the Practice at scale Check out this one... Per Level, SAMM defines... ? Objective ? Activities ? Results ? Success Metrics ? Costs ? PersonnelKaufen Sie Software Assurance Maturity Model (SAMM) [B&W] von OpenSAMM Project (Paperback) online bei Lulu CH. Besuchen Sie den Lulu-Marktplatz, um alle Produktdetails, ...
mon Assurance Maturity Model on CSP rating system Video: Founder of mon ... Some customers have turned to third-party software to make sense of cloud costs. Product...
IDC MarketScape vendor assessment model to evaluate the software quality analysis and ... as they push forward competitively. Resources for both development and quality assurance...