Professional Documents
Culture Documents
• Prescriptive knowledge
• Diagnostic knowledge
• Historical knowledge
Risk Management Framework (RMF)
• Continuous risk management
RMF Five Stages:
process
• Identify and keep track of
• RMF occurs in parallel with SDLC activities
risks overtime and a software
project unfolds
• High-level approach to
iterative risk management
that is deeply integrated
throughout the SDLC
• Identify, rank, track, and
understand software security
risks as it changes over time
Stage 1:
Understand Business Context
• Risk management
• Occurs in a business context
• Affected by business motivation
• Key activity of an analyst
• Extract and describe business goals – clearly
• Increasing revenue; reducing dev cost; meeting SLAs; generating high return on
investment (ROI)
• Set priorities
• Understand circumstances
Stage 2: Identify the business & technical
risks
• Business risks have impact
• Direct financial loss; loss of reputation; violation of customer or regulatory
requirements; increase in development cost
• Severity of risks
• Should be capture in financial or project management terms
• Key is –
• tie technical risks to business context
Stage 3: Synthesize and rank the risks
• Prioritize the risks alongside the business goals
• Assign risks appropriate weights for resolution
• Risk metrics
• Risk likelihood
• Risk impact
• Number of risks mitigated over time
Stage 4: Risk Mitigation Strategy
• Develop a coherent strategy
• For mitigating risks
• In cost effective manner; account for
• Cost Implementation time
• Completeness Impact
• Likelihood of success
37
Software Security Best Practice
• Developers' best efforts on applying • Touchpoints are designed to
touchpoints may fail be carried out by software
• Lack of security domain knowledge security specialist in tandem
• Unfamiliar with real world attacks with development teams
• Knowledge is acquired from years of
experience in the field • Software security is a team
• Information security staff have years of effort
responding to attacks
• Have studied application vulnerabilities and
their resulting attacks profiles in minute
detail
• Few information security professionals
are developers
• Rare to find information security
professionals directly involved in
development projects
Security Requirements and Operations
• Requirements: Abuse cases • Security requirements
• Design: Business risk analysis • Difficult tasks
• Should cover both overt functional
• Design: Architectural risk analysis security and emergent characteristics
• Test Planning: Security testing • Use requirements engineering approach