Please enable JavaScript.
Coggle requires JavaScript to display documents.
S2L9 - Software Security Assurance (SSA) (SSA Programs (Drivers…
S2L9 - Software Security Assurance (SSA)
SSA process begins by categorising information that will be contained in, or used by software according to its sensitivity
.
Once info us categorised, security requirements can be developed
SSA ensures that software is designed to operate a level of security that is consistent with potential harm that could result from loss, inaccuracy, alteration, unavailability or misuse of data and resources that it uses, controls and protects
SSA Components
SSI (S/w Security Initiative)
An effort dedicated to improve security of all deployed s/w
SSG (S/W Security Group)
Responsible to define, implement and enforce security policies and standards throughout SDLC.
Risks to SSA
Size & complexity of S/W
Outsourcing of s/w development and reliance on unverified supply chains
Reuse and interfacing of legacy S/W with newer application in increasingly complex and different environment. Results in unintended consequences and increase vulnerable s/w target
SSA Objectives
Dependability
Trustworthiness
Resilience
Conformance
Why SSA?
Reduce support costs, vulnerabilities and delivery delays
Ensure compliance with government or industry regulations
Enhance credibility of org and its development theme
SSA Activities
Some focus on ensuring information processes by IS is assigned proper sensitivity of category, and that appropriate protection requirements have been developed and met in system
Ensuring control and protection of S/W
SSA Programs
Drivers influencing SSA Programs
Compliance: Ensure app meets legal req, corporate policies, and industry standards
Contractual: Requirements set by both parties have been met
Reactionary: Identifying and solving potential defect
Security: Incorporated throughout SDLC
Elements of SSA (SSF)
Governance
Strategy and Metrics
Planning, assigning roles and responsibilities, identifying s/w security goals, determining budget, identifying metrics
.
Compliance and Policy
.
Training
Establishing awareness & training, hosting internal/external s/w security, and promoting culture of s/w security
Intelligence
Attack Models
Establishing threat modeling, abuse cases, data clafication
.
Security Features and design
Identify security patterns for major problems
.
Standards and Requirements
Software Security Development Lifecycle Touchpoint.
Architectural Analysis
Capture s/w architectural diagrams, applying lists of risks and threats, building assessment and corrective plan
.
Code Review
.
Security Testing
Deployment
Penetration Testing
.
Software environment
Esnures OS platform patching, use of firewalls
.
Configuration Management and Vulnerability Management
ensures provedures are in place or patching and updating appications, version control,
Developing SSA Program
Building from ground up:
Establish S/W Security
Build the S/W Security Group
Develop strategy, policy and standards
Integrate SDLC checkpints
Analyse app portfolio
Establish metrics conduct training and awereness activity