An Application Security Assessment is started by examining the security practices of a solution\u00a0in its SDLC ( Software Development Lifecycle ). The key areas are examined are broken down into 4 domains of Governance, Intelligence, SSDL Touch-points, and Deployment. In those domains Strategy & Metrics, Compliance & Policy, Training, Attack Models, Security Features & Design, Standards & Requirements, Architecture Analysis, Code Review, Security Testing, Penetration Testing, Software Environment, and Configuration Management & Vulnerability Management are examined.<\/p>\n
Specifically a program is examined to ensure that there are at least Security minimums in key areas that are in place (these are my view on minimums): Training, Architectural Analysis, Code Review, Penetration Testing, and Privacy. These are the standard starting point for any assessment in Application Security.<\/p>\n
Within the areas listed above they are looked at to understand the maturity of each. It is important to look at how a security activity is offered, performed, and any external effect it has on the lifecycle. No security practice is an island unto itself. They all work holistically in a SDLC lifecycle eco-system.<\/p>\n
An overview into the core security practices and maturity:<\/p>\n
Training maturity- Software Security training and awareness promote a culture of software security throughout the organization.<\/p>\n
<\/p>\n
Architectural Analysis maturity – Perform a security feature review and get started with Architectural Analysis.<\/p>\n
<\/p>\n
Code Review maturity – Use manual code analysis review along-side automation. Use automated tools to drive efficiency and consistency .<\/p>\n
<\/p>\n
Penetration Testing maturity – Use Penetration Testers to find problems.<\/p>\n
<\/p>\n
Privacy – Identify PII obligations and promote privacy.<\/p>\n
<\/p>\n
Outside the core security practices other security practices that are examined are one\u2019s that are common across the Industry.<\/p>\n
<\/p>\n
Security & Metrics –\u00a0What SDLC is being used and what gates are enforced?<\/p>\n
<\/p>\n
Attack Models -Create a data classification scheme and inventory. Prioritize applications by data consumed and data manipulated.<\/p>\n
<\/p>\n
Security Features & Design\u00a0–\u00a0Build and track a common library of security features for re-use.<\/p>\n
<\/p>\n
Standards & Requirements – Create security standards.<\/p>\n
<\/p>\n
Security Testing – Drive tests with security requirements and security features.<\/p>\n
<\/p>\n
Software Environment – Host and network security basics are in place.<\/p>\n
<\/p>\n
Configuration Management & Vulnerability Management – Use Operations data to change development behavior.<\/p>\n
An Application Security Assessment is started by examining the security practices of a solution in its SDLC ( Software Development Lifecycle ). The key areas are examined are broken down into 4 domains of Governance, Intelligence, SSDL Touch-points, and Deployment. In those domains Strategy & Metrics, Compliance & Policy, Training, Attack Models, Security Features & Design, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-75","post","type-post","status-publish","format-standard","hentry","category-software-security"],"yoast_head":"\n