SDL, CLASP & TOUCHPOINTS: A Comparison and Alignment of CLASP with Waterfall Model
|
|
- Amos Morton
- 8 years ago
- Views:
Transcription
1 SDL, CLASP & TOUCHPOINTS: A Comparison and Alignment of CLASP with Waterfall Model Nishtha Sankhwar Dept. of Information Technology IIIT Allahabad nishthasankhwar.infosec@gmail.com Anuja Tewari Dept. of Information Technology IIIT Allahabad anujatewari.infosec@gmail.com Dr. Vrijendra Singh Dept. of Information Technology IIIT Allahabad vrijendra.singh@gmail.com Abstract Integrating security in the software development process, right from the start till the very end, not only ensures a secure software but it also saves the organization from spending extra time and expenses on remediation processes along with maintaining a good reputation of organization. Various processes have been devised to introduce the development process to security, but there seems to be a certain contrast in how they address involvement of security in the software development process. This paper helps in bridging this gap by comparing majorly adopted secure software development processes OWASP's CLASP, McGraw's Touchpoints and Microsoft's SDL to show the advantages and disadvantages they hold over each other. Further, among the three, secured one is aligned with the traditional software development processes which provide a framework that could implement security into early stages of development as well as maintain the essence of old and time proved models. Index Terms SDL, CLASP, Touchpoints, Software development, Waterfall Model. I. INTRODUCTION. As much as layered approach for software development is required, software security needs to be designed from the very first phase of development. Among the leading software development processes, few are able to provide greater flexibility; few are able to deal with threat modeling. Unfortunately theses processes are not able to provide sufficient security with flexibility with ample of security best practices being followed, as it is getting demanded by industries for continuously changing security requirements. Hence, there is a need to have an understanding of a development process that could provide greater security and get easily aligned with the traditional development models. an understanding of a development process that could provide greater security and get easily aligned with the traditional development models Security Development Lifecycle (SDL), developed by Microsoft to answer the issues faced by them during various development projects andhence, mostly caters to the need of their development methodology only. It has a more detailcentric approach, as it clearly defines how the activities defined in it will be combined with the phases of the development process, due to which SDL tends to get somewhat rigid and time consuming in its approach for incorporating security in the development process. With these constraints of time and rigidity, come the most appalling constraints of all-cost of the overall project, which tends to be on the higher side, thus rendering this process infeasible for smaller organization. The positives of engaging SDL in the development process are - the awareness activities as well as good guidance provided by SDL, which enables even newer and less experienced members of the development team to understand and integrate security into the development 365 P a g e
2 process.sdl provides a well defined process as to how to measure the progress made by the overall process in the form of matrices. Touchpoints was developed by Cigital, formed from various software security practices applied by experts in the industry to various artifacts while developing software with security in mind. An artifact is a by-product which is produced from a software development phase, from designing to implementation, to the end user contract [10]. All these and many more are the deliverables of the development process, with artifacts having the inclusion of the developed software. Touchpoints includes both constructive and destructive activities with a focus on making penetration testing more of an inside-out approach to testing, rather than an outsideapproach. Providing taxonomy of bugs and their classification, how network security can be handled by using Touchpoints, etc are few examples of how touchpoints has been designed around the concept of direct applicability to a software development process. It fills the gap between how it should be done and how it is done in practice, by simple touchpoints suggested in it. CLASP[14] (Comprehensive, Lightweight Application Security Process) by OWASP, is a set of best practices carefully based on suggestions from security practitioners all around the globe, having 24 activities that are capable of easily being fitted into any software development process being used. CLASP offers high flexibility in the form of such activities that need not be in a particular order of application. CLASP heavily emphasizes on the identification of various roles in a software development process and the resources they may be able to access. By providing a vulnerability lexicon to vulnerability use cases, CLASP provides an excellent source of implementation support resources, which make application of its activities easier for the development team. One of the concerns relatable to CLASP is that the activities suggested in it are rather broad in their coverage. The objective of this paper is to compare and contrast processes from the secure viewpoint of development, i.e., Microsoft SDL, OWASP CLASP (Comprehensive, Lightweight Application Security Process) and McGraw s Touchpoints. Theoretical comparisons are made between these three processes, based on some general criterion as well as on some of the best and most practical practices prevalent in the secure software development industry [6]. Each of these processes has been judged on the advantages that they hold over each other, for example, CLASP being more flexibility and having a higher applicability to any software development process or whether how the awareness regarding security of the development process is being handled by either of these. Such a comparison clearly shows which of these processes is suitable to be selected for which type of software development process (based on rigidity, size of the organization, time allowance for the development process, the phase of development process to which these are being applied to, etc.) II. LITERATURE REVIEW Mike, 2003 [11] have suggested a model( SSE-CMM) for describing the vital attributes for an organization s security engineering process that must be met, with various IT processes and the measurement of their maturity level competently, to achieve good security among other necessary IT requirement compliance. A set of base practices defined in this model allows a developer to integrate security while setting the development objectives. Dr. Raimundas Matulevičius [1] had provided the comparative study between the forefront methodologies prevailing in market for secure software development: Microsoft software development lifecycle(sdl), OWASP s CLASP (Comprehensive, Lightweight Application Security Process) and Gary McGraw s Touchpoints with the six different categories: education, architectural & detailed design, project launched, risk analysis and requirements, implementation and testing, release and deployment. However, this approach clearly shows Microsoft SDL is lacking to cover risk analysis and security requirements while other two pays somewhat attention to it. Further his study continues, in order to choose the process that could perform risk analysis to identify and mitigate the possible threats could prevail while developing the software with the help of security research questionnaire to provide a better view of risk management methods. Conversely approach is limited to present one phase of security development processes, architectural and detailed design phases are not addressed. Bart De Win et al. [2] has performed a comparative study on SDL, CLASP and TOUCHPOINTS on the basis of traditional software development process but as per the today s industry projects as well as security requirements, which are varying from moderate to high at every phase of development, a versatile approach is required to map the differences between the methodologies. Karl Tiirik [3] has written an essay on comparison on SDL and TOUCHPOINTS, briefing over the two processes and finding similarities and differences between them. The essay seems to have been derived from the works of Bart De Win [2] and constituting of a concise summary. Key challenge is to have the elaborated software development 366 P a g e
3 process that should address the security between the development phases as well. Planning and developing software with application security in mind from the initial design phases leads to software with fewer bugs related to application security, and less potential for vulnerabilities. Today s forefront software development processes which are playing major roles in the industry are unable to perform Vulnerability and Threat analysis. Microsoft SDL, the oldest structured software development methodology is inflexible with the other platform based applications and software as it only facilitates Microsoft based applications and software.software security Touchpoints is a set of best practices have been adopted by the industries nowadays, though light weighted but needs to be elaborated as per the development requirement specification and misses out on the major activity of education of the team. CLASP proposes a set of activities with a broad coverage with large resource; applicable to any software development process, but it is this broad coverage which may pose a question on its ease of applicability. It is this broad coverage that we are going to try and answer by aligning the CLASP activities with the phases of a development process to make this process easily applicable. III. METHODOLOGY To compare CLASP, SDL & Touchpoints and subsequently understand the basis behind which one of these is best suited to be selected as a secure mean of software development, a set of criterion were defined, both generic in nature as well as based on few best practices. These criterions were selected because of the importance of efficiency (in terms of time and cost of the overall process) [5], the suitability of these processes to organization size for defining the required development team size as per its needs, as well as few best practices required to enable developing a secure software.[6] Identifying the sources for analyzing and contrasting these three processes was the next step.[7][8][9] Since the processes are hierarchical in nature (SDL and Touchpoints) while CLASP is not so and has the possibility of applicability of different activities to many phases of the development process, the activities of these processes had to be realigned as per either of these processes and then compared. This provided us with a better view on how extensively these criterions were being employed by the processes. CLASP process is composed of [14]: CLASP Views CLASP Resources CLASP Views These views are broken down into activities which in turn broken into components to provide brief understanding of CLASP process. Activities defined under it explain how they can be easily embedded into software development lifecycle. Views contains following perspectives: Concept view Role-Based view Activity Assessment view Activity Implementation view Vulnerability View Concept view: provides high-level introduction of CLASP views, best practices, security policies, process components. Role-Based view: explains how roles could be associated with each best practice. Activity-Assessment view: provides assistance to managers to assess the accuracy of the CLASP activities into their project. Activity-Implementation view: It contains the 24 CLASP activities that can be integrated with the software development process. Vulnerability View: CLASP identified 104 problem types that may form as a basis of security vulnerabilities which helps to identify what are the possible conditions in which threat can occur. Vulnerability Use Cases assist project manager to identify attack surface and the associated vulnerabilities in security services CLASP Resources CLASP provides list of resources which are being required to put in focus while planning implementing and performing activities. Following is the abstracted list of resources which is further categories into organization specific architecture and processes. Basic principles of application security Descriptions of core security principles System assessment worksheet Network resources System resources File system and registry Sample road maps IV. ANALYSIS (B) Comparison between SDL, CLASP & Touchpoints 367 P a g e
4 After understanding and analyzing SDL, CLASP and Touchpoints based on the resources that were present, it can be deduced that all three of these secure software development processes answer the issue of security in quite different manners. Their overall objective may remain same, i.e. to embed software security while the software IS being developed, the application of it is relatively different to each other. Hence, rather than comparing these processes based on either of them, a set of general and necessary criterion was used to compare them in Table1. Process Table I: Comparing CLASP, SDL & Touchpoints (part II of II) CLASP[9] SDL[7] Touchpoints[8] Criteria Nature Light weight Heavy weight Light weight Applicability Suitability Any software development process Small and large sized organization Software development life cycle phases only (SDLC) Large organization Software development artifacts Small and large sized organization Nature of activities Constructive Constructive Destructive as well as constructive Team education Yes Yes No Application Testing and Assessment Extensively Through Threat Modeling, Code Level Review, Security Tests, but No Verification of security attributes of resources Through Threat Modeling, Code Level Review, Security Tests, but No Verification of security attributes of resources) Evaluation of current state and security requirements Yes (using a global Yes (No global security Table1: security Comparing policy, CLASP, policy SDL &, Touchpoints no identification (Part I of of II) identifying resources resources and trust and trust boundaries, boundaries, user roles are user roles are defined, not defined, mention of mention of operational operational environment,no environment, misuse misuse cases,recognizing cases,recognizing attack surface, documenting attack surface, security requirements) documenting security requirements) Yes (No global security policy, no identification of resources and trust boundaries, user roles are not defined, no mention of operational environment, misuse cases,recognizing attack surface, documenting security requirements) Measurement of security activities Yes Yes Yes 368 P a g e
5 Code Integrity check Separate Privacy requirement evaluation Yes No No No Yes No Nature Nature here depicts the basic characteristic of any process depending upon the team size needed, the flexibility of the process for application, less rigorous development methods, the time and the cost needed to be invested, etc. CLASP and Touchpoints here turn out be holding a large advantage over SDL, since both of these processes are designed that they can be applied to an existing development methodology in use by an organization, where as SDL requires quite a revamp in that methodology, to be of use. Applicability The applicability criteria describes how the activities defined in either of these processes is applicable to any development methodologies. While CLASP has activities which have no certain order to be used when being applied, CLASP is also adaptable to any development methodologies because it does not have mandatory activities. These activities can be imbibed into the process as per their applicability. SDL is strictly phase wise application of its activities. Many organizations have an existing development methodology [12], hence they would prefer integrating a security process that will work with their existing model, rather than something that ll require a complete change. Similarly, Touchpoints has an upper hand over SDL as it focuses on applying secure activities to the artifacts produced during a new or an existing development methodology. Suitability Based on the above mentioned factors of the nature and applicability of these processes, it is quite evident that while CLASP and Touchpoints are more suitable for smaller organizations/projects, which may be restricted financially or size-wise.sdl works through a very rigorous process which may not be adaptable to every type of organization and at any point of time in a development project. Nature of activities Touchpoints encompasses activities that are constructive and also destructive ones. By destructive, we refer to McGraw s definition of these- those activities that handle attacks, exploits, and breaking software. These kinds of things are represented by the Black Hat. [8] White Hats are represented by describing constructive activities as those about designing, defense and functionality. Touchpoints uses Penetration Testing which are destructive in nature aside from using code reviews (constructive) and abuse cases constructive as well as destructive). SDL and CLASP only employ constructive activities such as code reviews, risk analysis, defining security requirements, etc. Team Education Educating or training the team and stakeholders before a project is launched ensures that the overall objective of achieving security while developing a software is maintained throughout the process.sdl and CLASP hold the advantage here, since they offer activities that make sure that the team members are well equipped with the required security knowledge by having security awareness programs.sdl even has methods to measure the knowledge gained by such programs. Touchpoints lacks severely on this front since there are no activities defined in it that put focus on educating the team. Application assessment and testing All the three secure development processes encourage proper assessment and testing of the software being developed, but what makes CLASP attain a point of advantage is that it even considers verifying the security attributes of the resources that are being used for the development, i.e. whether they comply with the global security policy or not, which resources should be accessible to the system and by whom, etc. Evaluation of current state and security requirements One of the major differences between CLASP and the other two secure development process lies in the fact that CLASP standardizes the way, how to use products and the approach by defining a global security policy. [9] and neither SDL nor touchpoints cover this ground. CLASP and SDL both recognize and try to minimize exposure of the attack surface, CLASP also recognizes its entry points and the roles which can access these entry points and resources while Touchpoints performs destructive activities to realize the attack surface but nothing to minimize it. 369 P a g e
6 Measurement of security activity performance All the three processes provide activities to identify matrices, their evaluation and their usage ideas, but CLASP combines such security analysis and the security management process by automating the process of security analysis and metrics penetration testing and lends the output in the form of matrices which allows monitoring of work to be done and work done till now. Code Integrity check CLASP ensures the integrity of the developed code by signing the code using the PKI vendor s software signing certificate on the compact archive file which contains the complete installation package for the developed software. Neither SDL nor Touchpoints perform any such activity. Thus CLASP gains a major advantage by ensuring one of major factors of the triad of security, i.e integrity which none of the other process does. Separate Privacy requirement evaluation In the world of technology, privacy is a huge concern for any type of user related to computers in any manner [13]. SDL answers this call for privacy considerations even in the software development process. SDL promotes measuring the collection. In SDL, matrices are collected to understand how effective the awareness program has been and in-process matrices allow assurance of compliance of the process with security requirements. After completion of the process, matrices are collected to provide guidance for future improvements. Touchpoints performs sensitivity of the data that will process from a privacy point of view [1] while neither CLASP nor Touchpoints specifically take privacy up into consideration. (B) Alignment of CLASP into the Waterfall model The paper outlines the schema for embedding CLASP best practices into phases of software development process which introduces security concerns from the starting of any development process. Waterfall is very old and known model but offers high risk and uncertainty when it comes to security implications across iterations of development. The analysis has been performed in which each sub best practice of CLASP is mapped with the corresponding phase of development where it is required and ensures security. Fig.1 and Fig.2 describes clearly how best practices of CLASP are mapped into waterfall model. 370 P a g e
7 Fig.1. Table Alignment of CLASP best practices into Waterfall model (Part I of II) [Best practices are taken from OWASP CLASP [14]] Institute Awareness Security Program [9] Security awareness program for the Institute needs to be aligned with the requirement analysis phase of SDL as it is necessary to educate about inherent security features to each and every member of the project. Project manager should ensure awareness programs and training sessions are being organized throughout the organization which addresses security requirements relating to each phase of development and security issue that might arise while proceeding. So it is crucial to establish requisite exposure to security concerns before making accountability of the issue. Even members who do not come directly in focus of holding accountability for example, Developers should be aware of security concepts and the procedures adopted by organization to implement them. 371 P a g e
8 Fig.2. Table: Alignment of CLASP best practices into Waterfall model (Part II of II) [Best practices are taken from OWASP CLASP [14]] Perform application assessments [9] In assessment, security examination is performed in order to determine the weak entry points for risk that are not discovered in the requirement identification, design and implementation phase. Perform Security analysis of system requirements and design (threat modeling): Threat modeling has been always required to perform in specification and design phase of Waterfall SDL because after comprehending the project; means what to build, it is necessary to identify the inappropriate and unfitting requirements and their resulting impact on the development. To perform security analysis for requirements and design, an expert or security auditor is recommended to execute unbiased assessment from the early stages. After identification of probable risks as well as non pre-assumable risks, are prioritized on the basis of the severity they are offering and inappropriate compensating controls. Perform source-level security review: CLASP withdraws the attention of security auditor to find out the vulnerabilities present in the implementation phase by assessing profiling of threats, architectural assessment and system requirements and 372 P a g e
9 specification. Security review has been aligned to organize at the end of every implementation recurrence and in the testing phase. Identify, implement, and perform security tests: Needs to be aligned with the Testing & verification phase of Waterfall in extent to find out the security issues not discovered or detected during implementation phase. Security tests are driven by the test analyst and tester which act as a defense-indepth procedure to assess risks announced by the real time environment. Verify security attributes of resources: This is aligned with the testing phase. It verifies authorization and access control assigned to each resource used in the system explaining authorization granted by the standard system install should match exactly with the owner of the resource as specified in the security requirement or in the global security policy. Research & assess security posture of technology solutions: Technology solution for development can be of two types, Outsourced or third party and in-house. For the outsourced technological components, it is necessary to first of all identify the posture of technology solution demanded by the system followed by assessing them upon collection for security issues. If the component is not able to address the purpose as it is mentioned in the documentation, vendors are asked to perform application assessment and generate report for the same. Organization itself may perform assessment but vendor should be acknowledged in sack of testing the component. For the in-house, organization should ensure the credibility of the technology solution and diagnose how well solution will perform in the direction of lessen the risk. Capture security requirements [9] Identify global security policy: It is aligned with the requirement analysis phase of development. Organization needs to have a global security policy which sets the baseline security necessities according to the project, project manager or CISO of relevant departments should establish valuable policies if the project is lacking if any and compare the acceptability of global requirements to project which ultimately helps the Specifier to identify security posture of each component that would have been used in the solution as well as its accurateness in accordance with the global standard. Identify resources and trust boundaries: In this phase designer will prepare the architect of system from the outlook of network, identifies what could be the possible location of network components, what are the suitable resources that might be used by the program. Identify user roles & resource capabilities: Identify project roles or responsibilities/ access rights and associated resources that would grant access only to the specified project roles. Corresponding resource mapping with the role should be designed and documented in the specification and design phase. Specify operational environment: An operational environment understanding is necessary to visualize the security influence introduced by the real time environment whenever the product is put into to run. Therefore it is aligned with specification phase to examine the possible implications of security solution with respect to target hosts and network architecture. Detail misuse cases: Risk may arise at any phase of the software development, for possible risk, corresponding mitigation mechanisms are identified, performed and subsequently informed to the stakeholder or end user. Stakeholder should be aware of each and every security risks or issues encounter while development, therefore it needs to validate security requirements at specification, design, implementation and testing phases. Identify attack surface: It is aligned with the design phase of development. Designer should identify possible as well as extrinsic loopholes while designing the solution or configuring the components in the network level design. For each resource and component of the system, access roles need to be assigned and access control list should be maintained throughout the organization. Document security-relevant requirements: For the secure development not only the functional and business level requirements for the system are examined but for security also these requirements should have been reflected. Functional security requirements enumerate fundamental security assistance for each resource present in the system. Businesslevel security requirements will address the desires made by the customers and it would always have been unstructured as the end users are not sufficiently aware about the set of requirements they actually require instead of what they actually demand. It needs to be figure out in the requirement specification phase. Implement secure development practices [9] Apply security principles to design: It needs to be aligned with the design phase. To enhance core security assistance, requirements should be obliged to meet with the application 373 P a g e
10 design and what has been documented in the software requirement specification (SRS). Outsourced components are being analyzed for input validation and syntactic validation. Annotate class designs with security properties: Requirements for any project are not definite; they might change according to the environment or with the varying user needs. Class diagrams or structured annotation for archiving information will help the implementer to review and develop correctly. Every data resource in the system should have security policy and it is aligned back with the SRS document in the design and implementation to determine whether the resource is providing those security services or not. Implement and elaborate resource policies & security technologies: It is aligned with the Implementation phase. The implementer should make certain that all the development guidelines including security guidelines are meeting. Implement interface contracts: Interface contracts are the contentions which are helpful in implementing input validation and error handling and could be prove as a security enhancer tool, if announced diligently in the implementation phase. Integrate security analysis into source management: It is aligned with the implementation phase. Security analysis tools are of two types: Static and Dynamic; Static examines the code entirely without executing the program while dynamic requires execution of code and verifying full functionality as per the design specification. Whatever analysis system is adopting, it is recommended by the security experts to analyze small codes at first followed by taking larger one. Code analysis would be further integrated by introducing a regular source code check. Perform code signing: To ensure code integrity, code signing is performed after building the final product at the phase of maintenance. Build vulnerability remediation procedure [9]: Manage security issue disclosure process: If a tester has encountered with a new or unidentified issues in the release software, then it should be first communicated immediately internally following to the client or stakeholders. Secondly organization should inform outside security investigators, so that others also get aware about the new vulnerabilities and mitigation technologies would have been identified. Address reported security issues: If vulnerability has been identified by the system, a suitable designer expert or chief architect is assigned to the investigation that will ensure about the impact and exposure of the issues and determine mitigation strategies for the same. Define and monitor metrics [9]: Monitor security metrics: Metrics are meant to define security posture of a system which helps designers to figure out regions where improvement is required, assist implementers to enforce changes needs to be executed, able testers to scrutinize the new specimen in accordance with the changed requirements and analyze performance through metrics key indices by deploying the solution. This practice of CLASP is aligned with the design, development, verification and support phases. For design, attack surface metrics are designed which makes sure that the implementation would have been streamline as it is drafted in the design. For implementation, coders are provided with the coding guidelines that need to be followed to secure development. Among verification strategies, input validation metrics are being used to analyze each input to the program. These metrics should be periodically reviewed by analyzing their output. Publish operational security guidelines [9]: Specify database security configuration: Database resources that are used under implementation process demands proper configuration to store them in database. Generally organizations deploy default configuration as provided by the third party vendors but before implementation these; setting should be validated in compliance with the requirements of the resources. If necessary, inaccurate configuration can be tested to identify security risk associated with the database resource. Hence it needs to be aligned with design, development and testing phase. Build operational security guide: Users are the most important asset for any organization, At the time of delivering the software or product to the users, proper documentation on functional security is provided to ensure pragmatic requirements should be taken care of before installation of the system. Implementer builds the documentation guide that addresses resources and their usage, mechanism and polices for default authentication, list of security setting and procedure to use them. 374 P a g e
11 Fig.3. Integration of CLASP best practices into Waterfall model V. CONCLUSION Figue3 depicts a complete picture of how framework will look after integrating CLASP best practices into software development model. Development models embedded with CLASP best practice would empower organizations to address vulnerabilities well and provide security features to enhance authentication, confidentiality, data integrity and authorization. Among all the views provided by the CLASP, Vulnerability view make it differ from the others as SDL and Touchpoints are not able to do vulnerability assessment, only efficient to perform risk assessment. Traditional models like Waterfall, RAD, Iterative, and Incremental are best in their own approach but are not able to perform well in risk mitigation. Hence alignment of sub best practices of CLASP along with development process is a defense in depth approach to deliver secure software. 375 P a g e
12 REFERENCES [1] Dr. Raimundas Matulevičius, A Literature Survey of the Development Processes for Secure Software, [2] Bart De Win, Riccardo Scandariato, Koen Buyens, Johan Gre goire, Wouter Joosen, On the secure software development process: CLASP, SDL and Touchpoints compared, [3] Karl Tiirik, Comparison of SDL and Touchpoints. /essay09.pdf [4] Simplified Implementation of the Microsoft SDL, Microsoft, November 4, [5] Stefan Wagner, Melanie Ruhe, A Systematic Review of Productivity Factors in Software Development, [6] Seven Practical Steps to Delivering More Secure Software, Fortify Software Inc., files/fortify-practical-steps.pdf Microsoft, Security Development Lifecycle best practices, G. McGraw, Software Security: Building Security In, Addison Wesley, 2006 [7] OWASP, Comprehensive, lightweight application security process-best practices, Best_Practice (2006) Wikipedia, Artifact (software development) opment) (2015) [8] Mike Phillips, Using a Capability Maturity Model to Derive Security Requirements, SANS Institute 2003 Jacobson, G. Booch, J. Rumbaugh, The Unified Software Development Process, Addison-Wesley, (1999) Lance J. Hoffman, Computers and Privacy: A Survey, ACM Computing Surveys (CSUR),( June 1969) [9] OWASP CLASP Project _CLASP_Project(2015) [10] Ms. Shikha maheshwari, Dinesh Ch. Jain, A Comparative Analysis of Different types of Models in Software Development Life Cycle Volume 2, Issue 5, May 2012 [11] MARK C. PAULK, Bru CURTIS, and MARY BETH CHRlSSlS, CHARLES V. WEBER, Capability Maturity Model, Version 1.1, July 1993 [12] J.H. Saltzer, M.D. Schroeder, The protection of information in computer systems, Proceedings of the IEEE 63 (9) (1975) [13] Vishwas Massey, K. J. Satao, Evolving a New Software Development Life Cycle Model (SDLC) incorporated with Release Management, [IJEAT,ISSN: , Volume-1, Issue-4], April 2012 [14] Fabian, B., Gürses, S., Heisel, H., Santen, T., & Schmidt, H. (2009). A comparison of security requirements engineering methods Requirements Engineering: Vol 15, Issue 1, (pp 7-40) [15] J.E. Burge and D.C. Brown, An Integrated Approach for Software Design Checking Using Design Rationale, Proc. First Int l Conf. Design Computing and Cognition, J.S. Gero, ed., pp , P a g e
Building Security into the Software Life Cycle
Building Security into the Software Life Cycle A Business Case Marco M. Morana Senior Consultant Foundstone Professional Services, a Division of McAfee Outline» Glossary» What is at risk, what we do about
More informationOn the Secure Software Development Process: CLASP and SDL Compared
On the Secure Software Development Process: CLASP and SDL Compared Johan Grégoire, Koen Buyens, Bart De Win, Riccardo Scandariato, Wouter Joosen DistriNet, Department of Computer Science, K.U.Leuven Celestijnenlaan
More informationDevelopment Processes (Lecture outline)
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationA Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification
, pp. 131-142 http://dx.doi.org/10.14257/ijseia.2015.9.10.13 A Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification Min-gyu Lee 1, Hyo-jung Sohn 2, Baek-min Seong
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationDeveloping Secure Software, assignment 1
Developing Secure Software, assignment 1 During development of software, faults and flaws are introduced either from the implementation or from the design of the software. During runtime these faults and
More informationEntire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com
Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Threat Modeling "Threat modeling at the design phase is really the only way to
More informationOn the secure software development process: CLASP, SDL and Touchpoints compared
Available online at www.sciencedirect.com Information and Software Technology 51 (2009) 1152 1171 www.elsevier.com/locate/infsof On the secure software development process: CLASP, SDL and Touchpoints compared
More informationSeven Practical Steps to Delivering More Secure Software. January 2011
Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step
More informationTRADITIONAL VS MODERN SOFTWARE ENGINEERING MODELS: A REVIEW
Year 2014, Vol. 1, issue 1, pp. 49-56 Available online at: http://journal.iecuniversity.com TRADITIONAL VS MODERN SOFTWARE ENGINEERING MODELS: A REVIEW Singh RANDEEP a*, Rathee AMIT b a* Department of
More informationIT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies
IT Professional Standards Information Security Discipline Sub-discipline 605 Information Security Testing and Information Assurance Methodologies December 2012 Draft Version 0.6 DOCUMENT REVIEW Document
More informationThe Security Development Lifecycle
The Security Development Lifecycle Steven B. Lipner Director of Security Engineering Strategy Security Business and Technology Unit Microsoft Corporation Context and History 1960s penetrate and patch 1970s
More informationMaking your web application. White paper - August 2014. secure
Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationComparison of Secure Development Frameworks for Korean e- Government Systems
, pp.355-362 http://dx.doi.org/10.14257/ijsia.2014.8.1.33 Comparison of Secure Development Frameworks for Korean e- Government Systems Dongsu Seo School of Information Technology Sungshin University dseo@sungshin.ac.kr
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationProtect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance
Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Sponsored by the U.S. Department of Homeland Security (DHS), the Software Engineering Institute
More informationSecure Development LifeCycles (SDLC)
www.pwc.com Feb 2014 Secure Development LifeCycles (SDLC) Bart De Win Bart De Win? 15+ years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific
More informationSecurity Considerations for the Spiral Development Model
Security Considerations for the Spiral Development Model Loye Lynn Ray University of Maryland University College 3501 University Blvd East Adelphi, MD 20783 Loye.ray@faculty.umuc.edu 717-718-5727 Abstract
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationA PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT
A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT Chandramohan Muniraman, University of Houston-Victoria, chandram@houston.rr.com Meledath Damodaran, University of Houston-Victoria, damodaranm@uhv.edu
More informationThe most suitable system methodology for the proposed system is drawn out.
3.0 Methodology 3.1 Introduction In this chapter, five software development life cycle models are compared and discussed briefly. The most suitable system methodology for the proposed system is drawn out.
More informationSecuring the Cloud Infrastructure
EXECUTIVE STRATEGY BRIEF Microsoft recognizes that security and privacy protections are essential to building the necessary customer trust for cloud computing to reach its full potential. This strategy
More informationSD Elements: A Tool for Secure Application Development Management
SD Elements: A Tool for Secure Application Development Management Golnaz Elahi 1, Tom Aratyn 2, Ramanan Sivaranjan 2, Rohit Sethi 2, and Eric Yu 3 1 Department of Computer Science, University of Toronto,
More informationSecuring the Microsoft Cloud
Securing the Microsoft Cloud Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and consumers to fully embrace and benefit from
More informationTowards Collaborative Requirements Engineering Tool for ERP product customization
Towards Collaborative Requirements Engineering Tool for ERP product customization Boban Celebic, Ruth Breu, Michael Felderer, Florian Häser Institute of Computer Science, University of Innsbruck 6020 Innsbruck,
More informationHow To Understand The Limitations Of An Agile Software Development
A Cynical View on Agile Software Development from the Perspective of a new Small-Scale Software Industry Apoorva Mishra Computer Science & Engineering C.S.I.T, Durg, India Deepty Dubey Computer Science
More informationSoftware Security Touchpoint: Architectural Risk Analysis
Software Security Touchpoint: Architectural Risk Analysis Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized
More informationIndependent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
More informationDevelopment models. 1 Introduction. 2 Analyzing development models. R. Kuiper and E.J. Luit
Development models R. Kuiper and E.J. Luit 1 Introduction We reconsider the classical development models: the Waterfall Model [Bo76], the V-Model [Ro86], the Spiral Model [Bo88], together with the further
More informationIntegrating Automated Tools Into a Secure Software Development Process
Integrating Automated Tools Into a Secure Software Development Process Kenneth R. van Wyk KRvW Associates, LLC Ken@KRvW.com Copyright 2007, KRvW Associates, LLC This paper is intended to augment and accompany
More informationA Survey on Requirements and Design Methods for Secure Software Development*
A Survey on Requirements and Design Methods for Secure Software Development* Muhammad Umair Ahmed Khan and Mohammad Zulkernine School of Computing Queen s University Kingston, Ontario, Canada K7L 3N6 {umair
More informationA DESIGN SCIENCE APPROACH TO DEVELOP A NEW COMPREHENSIVE SOA GOVERNANCE FRAMEWORK
A DESIGN SCIENCE APPROACH TO DEVELOP A NEW COMPREHENSIVE SOA GOVERNANCE FRAMEWORK Fazilat Hojaji 1 and Mohammad Reza Ayatollahzadeh Shirazi 2 1 Amirkabir University of Technology, Computer Engineering
More informationAgile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007
Agile and Secure Can We Be Both? Chicago OWASP June 20 th, 2007 The Agile Practitioner s Dilemma Agile Forces: Be more responsive to business concerns Increase the frequency of stable releases Decrease
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationLeveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs
IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government
More informationSoftware Development Life Cycle Models- Comparison, Consequences
Software Development Life Cycle Models- Comparison, Consequences Abstract- Software Development Life Cycle is a well defined and systematic approach, practiced for the development of a reliable high quality
More informationSoftware Development: The Next Security Frontier
James E. Molini, CISSP, CSSLP Microsoft Member, (ISC)² Advisory Board of the Americas jmolini@microsoft.com http://www.codeguard.org/blog Software Development: The Next Security Frontier De-perimiterization
More informationIoT & SCADA Cyber Security Services
IoT & SCADA Cyber Security Services RIOT SOLUTIONS PTY LTD P.O. Box 10087, Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 4, 60 Edward St, Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au
More informationStepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
More informationCITY UNIVERSITY OF HONG KONG. Information System Acquisition, PUBLIC Development and Maintenance Standard
CITY UNIVERSITY OF HONG KONG Development and Maintenance Standard (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief Information Officer in
More informationState of Minnesota. Enterprise Security Strategic Plan. Fiscal Years 2009 2013
State of Minnesota Enterprise Security Strategic Plan Fiscal Years 2009 2013 Jointly Prepared By: Office of Enterprise Technology - Enterprise Security Office Members of the Information Security Council
More informationHow To Design An Information System
Information system for production and mounting of plastic windows MARCEL, MELIŠ Slovak University of Technology - Faculty of Material Sciences and Technology in Trnava, Paulínska 16 street, Trnava, 917
More informationEvolving a Ultra-Flow Software Development Life Cycle Model
RESEARCH ARTICLE International Journal of Computer Techniques - Volume 2 Issue 4, July - Aug Year Evolving a Ultra-Flow Software Development Life Cycle Model Divya G.R.*, Kavitha S.** *(Computer Science,
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationA Comparative Study of Different Software Development Life Cycle Models in Different Scenarios
ISSN: 2321-7782 (Online) Volume 1, Issue 5, October 2013 International Journal of Advance Research in Computer Science and Management Studies Research Paper Available online at: www.ijarcsms.com A Comparative
More informationCutting Edge Practices for Secure Software Engineering
Cutting Edge Practices for Secure Software Engineering Kanchan Hans Amity Institute of Information Technology Amity University, Noida, 201301, India khans@amity.edu Abstract Security has become a high
More informationSoftware Quality and Assurance in Waterfall model and XP - A Comparative Study
Software Quality and Assurance in Waterfall model and XP - A Comparative Study Dr. Sana a Jawdat Khalaf Sana_j_11@hotmail.com Dr. Mohamed Noor Al-Jedaiah m_aljedaiah@ammanu.edu.jo Abstract: -Dealing with
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationA Security Approach in System Development Life Cycle
A Security Approach in System Development Life Cycle (1) P.Mahizharuvi, Research Scholar, Dept of MCA, Computer Center, Madurai Kamaraj University, Madurai. mahiconference@gmail.com (2) Dr.K.Alagarsamy,
More informationClassical Software Life Cycle Models
Classical Software Life Cycle Models SWEN 301 Trimester 1, 2015 Lecturer: Dr Hui Ma Engineering and Computer Science Lecture slides make use of material provided on the textbook's companion website Motivation
More informationWhat is a life cycle model?
What is a life cycle model? Framework under which a software product is going to be developed. Defines the phases that the product under development will go through. Identifies activities involved in each
More informationA. Waterfall Model - Requirement Analysis. System & Software Design. Implementation & Unit Testing. Integration & System Testing.
Processing Models Of SDLC Mrs. Nalkar Sanjivani Baban Asst. Professor, IT/CS Dept, JVM s Mehta College,Sector 19, Airoli, Navi Mumbai-400708 Nalkar_sanjivani@yahoo.co.in Abstract This paper presents an
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationApplication Security 101. A primer on Application Security best practices
Application Security 101 A primer on Application Security best practices Table of Contents Introduction...1 Defining Application Security...1 Managing Risk...2 Weighing AppSec Technology Options...3 Penetration
More informationISSECO Syllabus Public Version v1.0
ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationEXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources
EXECUTIVE STRATEGY BRIEF Securing the Cloud Infrastructure Cloud Resources 01 Securing the Cloud Infrastructure / Executive Strategy Brief Securing the Cloud Infrastructure Microsoft recognizes that trust
More informationGovernance, Risk, and Compliance (GRC) White Paper
Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:
More informationIBM Rational AppScan: enhancing Web application security and regulatory compliance.
Strategic protection for Web applications To support your business objectives IBM Rational AppScan: enhancing Web application security and regulatory compliance. Are untested Web applications putting your
More informationA Systematic Security Approach in Software Requirements Engineering
A Systematic Security Approach in Software Requirements Engineering (1) P.Mahizharuvi, Research Scholar, Dept of MCA, Computer Center, Madurai Kamaraj University, Madurai. (2) Dr.K.Alagarsamy, Associate
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationGlobal Delivery Excellence Best Practices for Improving Software Process and Tools Adoption. Sunil Shah Technical Lead IBM Rational
Global Delivery Excellence Best Practices for Improving Software Process and Tools Adoption Sunil Shah Technical Lead IBM Rational Agenda Organization s Challenges from a Delivery Perspective Introduction
More informationCyber Security and the Board of Directors
Helping clients build operational capability in cyber security. A DELTA RISK VIEWPOINT Cyber Security and the Board of Directors An essential responsibility in financial services About Delta Risk is a
More informationThe Unified Software Development Process
The Unified Software Development Process Technieche Universal Darmstadt FACHBEREICH IN-FORMAHK BLIOTHEK Ivar Jacobson Grady Booch James Rumbaugh Rational Software Corporation tnventar-nsr.: Sachgebiete:
More informationSytorus Information Security Assessment Overview
Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationA Comparison between Five Models of Software Engineering
International Journal of Research in Information Technology (IJRIT) www.ijrit.com ISSN 2001-5569 A Comparison between Five Models of Software Engineering Surbhi Gupta, Vikrant Dewan CSE, Dronacharya College
More informationSecuring the Microsoft Cloud
Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and customers to fully embrace and benefit from cloud services. We are committed
More informationRevision History Revision Date 3.0 14.02.10. Changes Initial version published to http://www.isasecure.org
SDLA-312 ISA Security Compliance Institute Security Development Lifecycle Assurance - Security Development Lifecycle Assessment v3.0 Lifecycle Phases Number Phase Name Description PH1 Security Management
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationA Survey of Software Development Process Models in Software Engineering
, pp. 55-70 http://dx.doi.org/10.14257/ijseia.2015.9.11.05 A Survey of Software Development Process Models in Software Engineering Iqbal H. Sarker 1, Faisal Faruque 1, Ujjal Hossen 2 and Atikur Rahman
More informationHow to achieve PCI DSS Compliance with Checkmarx Source Code Analysis
How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.
More informationIT audit updates. Current hot topics and key considerations. IT risk assessment leading practices
IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations
More informationSoftware Application Control and SDLC
Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to
More informationANALYSIS OF SOFTWARE THREATS AND SOFTWARE SECURITY. Department of Computer Science & IT University of Jammu, Jammu
ANALYSIS OF SOFTWARE THREATS AND SOFTWARE SECURITY Dr. Deepshikha Jamwal Bhawana Sharma Research Scholar Research scholar jamwal.shivani@gmail.com bhawana32_mca@yahoo.co.in Department of Computer Science
More informationOffice of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informationWHITEPAPER Executive Summary Fortify Software WWW.FORTIFY.COM
Optimizing the Microsoft SDL for Secure Development Fortify Solutions to Strengthen and Streamline a Microsoft Security Development Lifecycle Implementation Executive Summary Developing secure software
More informationData Masking Best Practices
Data Masking Best Practices 1 Information Security Risk The risk that sensitive information becomes public 2 Information Security Risk Government systems store a huge amount of sensitive information Vital
More informationSystematization of Requirements Definition for Software Development Processes with a Business Modeling Architecture
Systematization of Requirements Definition for Software Development Processes with a Business Modeling Architecture Delmir de Azevedo Junior 1 and Renato de Campos 2 1 Petrobras University, Republican
More informationA FRAMEWORK FOR INTEGRATING SARBANES-OXLEY COMPLIANCE INTO THE SOFTWARE DEVELOPMENT PROCESS
A FRAMEWORK FOR INTEGRATING SARBANES-OXLEY COMPLIANCE INTO THE SOFTWARE DEVELOPMENT PROCESS Sushma Mishra Virginia Commonwealth University mishras@vcu.edu Heinz Roland Weistroffer Virginia Commonwealth
More information112 BSIMM Activities at a Glance
112 BSIMM Activities at a Glance (Red indicates most observed BSIMM activity in that practice) 6 Level 1 Activities Governance Strategy & Metrics (SM) Publish process (roles, responsibilities, plan), evolve
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity
More informationIntegrating Software Development Security Activities with Agile Methodologies
Integrating Software Development Activities with Agile Methodologies Hossein Keramati, Seyed-Hassan Mirian-Hosseinabadi Sharif University of Technology keramati_h@mehr.sharif.edu, hmirian@sina.sharif.edu
More informationRealizing business flexibility through integrated SOA policy management.
SOA policy management White paper April 2009 Realizing business flexibility through integrated How integrated management supports business flexibility, consistency and accountability John Falkl, distinguished
More informationClosing the Vulnerability Gap of Third- Party Patching
SOLUTION BRIEF: THIRD-PARTY PATCH MANAGEMENT........................................ Closing the Vulnerability Gap of Third- Party Patching Who should read this paper IT Managers who are trying to manage
More informationLearning objectives for today s session
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify
More informationCisco Security Optimization Service
Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless
More informationEd Adams, CEO Security Innovation. Dr. Larry Ponemon Ponemon Institute. 2012 ISACA Webinar Program. 2012 ISACA. All rights reserved.
2012 Study on Application Security: AS Survey of fits Security and dd Developers Ed Adams, CEO Security Innovation Dr. Larry Ponemon Ponemon Institute 2012 ISACA Webinar Program. 2012 ISACA. All rights
More informationThe Seven Deadly Myths of Software Security Busting the Myths
The Seven Deadly Myths of Software Security Busting the Myths With the reality of software security vulnerabilities coming into sharp focus over the past few years, businesses are wrestling with the additional
More informationCloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015
Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015 2015 CloudeAssurance Page 1 Table of Contents Copyright and Disclaimer... 3 Appendix A: Introduction... 4 Appendix
More informationStandard: Web Application Development
Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development
More informationInformation Security Program CHARTER
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
More informationHow To Develop Software
Software Engineering Prof. N.L. Sarda Computer Science & Engineering Indian Institute of Technology, Bombay Lecture-4 Overview of Phases (Part - II) We studied the problem definition phase, with which
More informationVulnerability management lifecycle: defining vulnerability management
Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By
More informationSoftware Project Management using an Iterative Lifecycle Model
Software Corporation Software Project Management using an Iterative Lifecycle Model 1 Objectives of this Presentation To understand what the Unified Process is To understand the iterative lifecycle approach
More informationDriving Your Business Forward with Application Life-cycle Management (ALM)
Driving Your Business Forward with Application Life-cycle Management (ALM) Published: August 2007 Executive Summary Business and technology executives, including CTOs, CIOs, and IT managers, are being
More information