中国IDC产业年度大典 Software Assurance Maturity Model -上

SoftwareAssuranceMaturityModelPravirChandraOpenSAMMProjectLeadAgenda•ReviewofexistingsecureSDLCefforts•Understandingthemodel•Applyingthemodel•SAMMandtherealworldBytheend,you’llbeableto...•Evaluateanorganization’sexistingsoftwaresecuritypractices•Buildabalancedsoftwaresecurityassuranceprograminwell-definediterations•Demonstrateconcreteimprovementstoasecurityassuranceprogram•Defineandmeasuresecurity-relatedactivitiesthroughoutanorganizationReviewofexistingsecureSDLCeffortsCLASP•Comprehensive,LightweightApplicationSecurityProcess•Centeredaround7AppSecBestPractices•Covertheentiresoftwarelifecycle(notjustdevelopment)•Adaptabletoanydevelopmentprocess•DefinesrolesacrosstheSDLC•24role-basedprocesscomponents•Startsmallanddial-intoyourneedsMicrosoftSDL•BuiltinternallyforMSsoftware•Extendedandmadepublicforothers•MS-onlyversionssincepublicreleaseTouchpoints•GaryMcGraw’sandCigital’smodelLessonsLearned•MicrosoftSDL•Heavyweight,goodforlargeISVs•Touchpoints•High-level,notenoughdetailstoexecuteagainst•CLASP•Largecollectionofactivities,butnopriorityordering•ALL:Goodforexpertstouseasaguide,buthardfornon-securityfolkstouseofftheshelfDriversforaMaturityModel•Anorganization’sbehaviorchangesslowlyovertime•Changesmustbeiterativewhileworkingtowardlong-termgoals•Thereisnosinglerecipethatworksforallorganizations•Asolutionmustenablerisk-basedchoicestailortotheorganization•Guidancerelatedtosecurityactivitiesmustbeprescriptive•Asolutionmustprovideenoughdetailsfornon-security-people•Overall,mustbesimple,well-defined,andmeasurableUnderstandingthemodelSAMMBusinessFunctions•Startwiththecoreactivitiestiedtoanyorganizationperformingsoftwaredevelopment•Namedgenerically,butshouldresonatewithanydeveloperormanagerSAMMSecurityPractices•FromeachoftheBusinessFunctions,3SecurityPracticesaredefined•TheSecurityPracticescoverallareasrelevanttosoftwaresecurityassurance•Eachoneisa‘silo’forimprovementUndereachSecurityPractice•ThreesuccessiveObjectivesundereachPracticedefinehowitcanbeimprovedovertime•ThisestablishesanotionofaLevelatwhichanorganizationfulfillsagivenPractice•ThethreeLevelsforaPracticegenerallycorrespondto:•(0:ImplicitstartingpointwiththePracticeunfulfilled)•1:InitialunderstandingandadhocprovisionofthePractice•2:Increaseefficiencyand/oreffectivenessofthePractice•3:ComprehensivemasteryofthePracticeatscaleCheckoutthisone...PerLevel,SAMMdefines...•Objective•Activities•Results•SuccessMetrics•Costs•Personnel