实用中国IDC产业年度大典 Software Assurance Maturity Model -上.pptVIP

Software Assurance Maturity Model Pravir Chandra OpenSAMM Project Lead Agenda Review of existing secure SDLC efforts Understanding the model Applying the model SAMM and the real world By the end, you’ll be able to... Evaluate an organization’s existing software security practices Build a balanced software security assurance program in well-defined iterations Demonstrate concrete improvements to a security assurance program Define and measure security-related activities throughout an organization Review of existing secure SDLC efforts CLASP Comprehensive, Lightweight Application Security Process Centered around 7 AppSec Best Practices Cover the entire software lifecycle (not just development) Adaptable to any development process Defines roles across the SDLC 24 role-based process components Start small and dial-in to your needs Microsoft SDL Built internally for MS software Extended and made public for others MS-only versions since public release Touchpoints Gary McGraw’s and Cigital’s model Lessons Learned Microsoft SDL Heavyweight, good for large ISVs Touchpoints High-level, not enough details to execute against CLASP Large collection of activities, but no priority ordering ALL: Good for experts to use as a guide, but hard for non-security folks to use off the shelf Drivers for a Maturity Model An organization’s behavior changes slowly over time Changes must be iterative while working toward long-term goals There is no single recipe that works for all organizations A solution must enable risk-based choices tailor to the organization Guidance related to security activities must be prescriptive A solution must provide enough details for non-security-people Overall, must be simple, well-defined, and measurable Understanding the model SAMM Business Functions Start with the core activities tied to any organization performing software development Named generically, but should resonate with any developer or manager