With today, I had completed integrating security in standard SDLC to prevent security bugs from appearing in released applications. SEI CMMI Version 1.1, Maturity Level 5 Process has been updated with security tests/tools/guidelines/templates to ensure application security is adequately covered and controls are effective throughout the development process. Following is the breif summary outlined here.
| SDLC Process | Requirements & Engineering Management | Architecture & Design * | Coding & Unit Testing | Integration & Testing |
| Entry Criteria | Business Requirements | Security requirements | Threat model | White Box test results |
| Constraints & assumptions | High Level Architecture/Design Document Use cases | High Level/Low Level Architecture, Design Documents | ||
| Activities | Determine application risk rank | Create threat model | Security development/coding guidelines/best practices | Automated Application Assessment |
| Identify key compliance objectives | Review/modify security requirements | White Box Review & Host review | Manual/Automated penetration testing | |
| Define secure integration with external systems | Architecture & Design Review | Static code analyzer | ||
| Deliverables | Security test strategy | Threat model | ||
| Security integrated into the development process | Security requirements in all defined components | White Box Review Report & Sign off | Black Box Review Report & Sign Off | |
| Predictive Risk Ranking | Architecture & Design Review Report | |||
| Tools | Security consultant | Threat Model Tool | Static Code Analyzer | Automated security tool |
| Security Requirements Review Checklist | Architecture & Design Review Checklist | Security Development Guidelines | ||
| Exit | Test strategy approved | No Sev 1 & Sev 2 issues exists | No Sev 1 & Sev 2 issues exists | No Sev 1 & Sev 2 issues exists |
| Responsibility | Project Team & Security Team | Project Team & Security Team | Project Team & Security Team | Project Team & Security Team |
No comments:
Post a Comment