INTERNATIONAL LIST OF TEACHERS ON CLASSICAL INDIAN DANCE.Secure Software Development Life Cycle Processes. Intended Audience. Scope. Definitions. Background Capability Maturity Models. Microsoft’s Trustworthy Computing Security Development Lifecycle Team Software Process for Secure Software Development (TSP) Correctness by Construction Agile Methods The Common Criteria Software Assurance Maturity Model Software Security Framework. Summary. Intended Audience. Some of the content of this article is used with permission from the Software Engineering Institute report CMU/SEI- 2. TN- 0. 24. The target audience for this document includes program and project managers, developers, and all individuals supporting improved security in developed software. It is also relevant to software engineering process group (SEPG) members who want to integrate security into their standard software development processes. Scope. Technology and content areas described include existing frameworks and standards such as the Capability Maturity Model Integration.
Kruti Dev 010,Bold Italic' 2 . Kruti Dev 010,Bold Italic' 2 CMM, Capability Maturity Model, and CMMI are registered in the U. S. Patent and Trademark Office by Carnegie Mellon University. In addition, efforts specifically aimed at security in the SDLC are included, such as the Microsoft Trustworthy Computing Software Development Lifecycle, the Team Software Process for Secure Software Development (TSPSM- Secure), Correctness by Construction, Agile Methods, and the Common Criteria. Two approaches, Software Assurance Maturity Model (SAMM) and Software Security Framework (SSF), which were just released, have been added to give the reader as much current information as possible. Definitions. These are some terms used in this document for which a common understanding would be useful. Process – The IEEE defines a process as . A secure software process can be defined as the set of activities performed to develop, maintain, and deliver a secure software solution. Activities may not necessarily be sequential; they could be concurrent or iterative. Process model – A process model provides a reference set of best practices that can be used for both process improvement and process assessment. Process models do not define processes; rather, they define the characteristics of processes. Process models usually have an architecture or a structure. Groups of best practices that lead to achieving common goals are grouped into process areas, and similar process areas may further be grouped into categories. Most process models also have a capability or maturity dimension, which can be used for assessment and evaluation purposes. It is important to understand the processes that an organization is using to build secure software because unless the process is understood, its weaknesses and strengths are difficult to determine. It is also helpful to use common frameworks to guide process improvement, and to evaluate processes against a common model to determine areas for improvement. Process models promote common measures of organizational processes throughout the software development life cycle (SDLC). These models identify many technical and management practices. Although very few of these models were designed from the ground up to address security, there is substantial evidence that these models do address good software engineering practices to manage and build software . However, there is probably a better likelihood of building secure software when an organization follows solid software engineering practices with an emphasis on good design, quality practices such as inspections and reviews, use of thorough testing methods, appropriate use of tools, risk management, project management, and people management. Standards – Standards are established by some authority, custom, or by general consent as examples of best practices. Standards provide material suitable for the definition of processes. Assessments, evaluations, appraisals – All three of these terms imply comparison of a process being practiced to a reference process model or standard. Assessments, evaluations, and appraisals are used to understand process capability in order to improve processes. They help determine whether the processes being practiced are adequately specified, designed, integrated, and implemented to support the needs, including the security needs, of the software product. They are also an important mechanisms for selecting suppliers and then monitoring supplier performance. Software assurance – Sw. A is defined as “the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its life cycle, and that the software functions in the intended manner” . In the Capability Maturity Model for Software, the purpose of “software assurance” is described as providing appropriate visibility into the process being used by the software projects and into the products being built . The Systems and Security Engineering CMM describes “security assurance” as the process that establishes confidence that a product’s security needs are being met. In general, the term means the activities, methods, and procedures that provide confidence in the security- related properties and functions of a developed solution. In the Security Assurance section of its Software Assurance Guidebook . Security engineering activities include activities needed to engineer a secure solution. Examples include security requirements elicitation and definition, secure design based on design principles for security, use of static analysis tools, secure reviews and inspections, and secure testing. Engineering activities have been described in other sections of the Build Security In web site. Security Assurance Activities. Assurance activities include verification, validation, expert review, artifact review, and evaluations. Security Organizational and Project Management Activities. Organizational activities include organizational policies, senior management sponsorship and oversight, establishing organizational roles, and other organizational activities that support security. Project management activities include project planning and tracking resource allocation and usage to ensure that the security engineering, security assurance, and risk identification activities are planned, managed, and tracked. Security Risk Identification and Management Activities. There is broad consensus in the community that identifying and managing security risks is one of the most important activities in a secure SDLC and in fact is the driver for subsequent activities. Security risks in turn drive the other security engineering activities, the project management activities, and the security assurance activities. Risk is also covered in other areas of the Build Security In web site. Other common themes include security metrics and overall defect reduction as attributes of a secure SDLC process. The remainder of this document provides overviews of process models, processes, and methods that support one or more of the four focus areas. The overviews should be read in the following context: Organizations need to define organizational processes. To do that, they use process standards, and they also consider industry customs, regulatory requirements, customer demands, and corporate culture. Individual projects apply the organizational processes, often with appropriate tailoring. In applying the organizational processes to a particular project, the project selects the appropriate SDLC activities. Projects use appropriate security risk identification, security engineering, and security assurance practices as they do their work. Organizations need to evaluate the effectiveness and maturity of their processes as used. They also need to perform security evaluations. Capability Maturity Models. Capability Maturity Models provide a reference model of mature practices for a specified engineering discipline. An organization can compare its practices to the model to identify potential areas for improvement. The CMMs provide goal- level definitions for and key attributes of specific processes (software engineering, systems engineering, security engineering), but do not generally provide operational guidance for performing the work. In other words, they don’t define processes, they define process characteristics; they define the what, but not the how. Rather, organizational evaluations are meant to focus process improvement efforts on weaknesses identified in particular process areas” . Of the four secure SDLC process focus areas mentioned earlier, CMMs generally address organizational and project management processes and assurance processes. They do not specifically address security engineering activities or security risk management. They also focus on overall defect reduction, not specifically on vulnerability reduction. This is important to note, since many defects are not security- related, and some security vulnerabilities are not caused by software defects. An example of a security vulnerability not caused by common software defects is intentionally- added malicious code. Of the three CMMs currently in fairly widespread use, Capability Maturity Model Integration (CMMI), the Federal Aviation Administration integrated Capability Maturity Model (FAA- i. CMM), and the Systems Security Engineering Capability Maturity Model (SSE- CMM), only the SSE- CMM was developed specifically to address security. The Trusted CMM, derived from the Trusted Software Methodology, is also of historical importance. Capability Maturity Model Integration (CMMI)Capability Maturity Model Integration (CMMI) helps organizations increase the maturity of their processes to improve long- term business performance. As of December 2. Software Engineering Institute (SEI) reports that 1,1. CMMI- based appraisals. In November 2. 01. CMMI constellations were updated to version 1. CMMI- ACQ provides improvement guidance to acquisition organizations for initiating and managing the acquisition of products and services.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |