Comments on: Software Security Framework http://www.cigital.com/justice-league-blog/2008/10/15/software-security-framework/ Sun, 13 May 2012 16:44:00 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: gem http://www.cigital.com/justice-league-blog/2008/10/15/software-security-framework/#comment-112 gem Fri, 16 Apr 2010 20:46:33 +0000 http://www.cigital.com/justiceleague/2008/10/15/software-security-framework/#comment-112 Hi Tilly, The Framework is very much like a grid in Archeology. Think of it as conceptual stakes and string defining "squares" where we discover (or observe) activities. You can read about the Framework and why we built it here: http://www.informit.com/articles/article.aspx?p=1271382 The Model is the actual observed data. You should read the BSIMM itself for that which you can find here: http://bsi-mm.com/ The BSIMM itself is infinitely more important than the Framework. Hope that helps. gem Hi Tilly,

The Framework is very much like a grid in Archeology. Think of it as conceptual stakes and string defining “squares” where we discover (or observe) activities. You can read about the Framework and why we built it here: http://www.informit.com/articles/article.aspx?p=1271382

The Model is the actual observed data. You should read the BSIMM itself for that which you can find here: http://bsi-mm.com/

The BSIMM itself is infinitely more important than the Framework.

Hope that helps.

gem

]]> By: Tilly http://www.cigital.com/justice-league-blog/2008/10/15/software-security-framework/#comment-111 Tilly Fri, 16 Apr 2010 19:12:50 +0000 http://www.cigital.com/justiceleague/2008/10/15/software-security-framework/#comment-111 Can you explain the difference between framework and model Can you explain the difference between framework and model

]]> By: Tom Van Vleck http://www.cigital.com/justice-league-blog/2008/10/15/software-security-framework/#comment-110 Tom Van Vleck Mon, 19 Jan 2009 20:06:50 +0000 http://www.cigital.com/justiceleague/2008/10/15/software-security-framework/#comment-110 This is good and useful. I would trya different set of rows to see what happens: MODEL, POLICY, PROCEDURE, TOOL. See http://www.multicians.org/thvv/vvcomb.html The security MODEL is the identification of actors, interests, and relationships: the "piping digram" if you will. Security POLICY states the goal. That is, what flows we want in the pipes. There may be many PROCEDUREs but each should be justified by pointing to the policies it supports. Then we can talk about how the procedures are mechanized by TOOLs. This is good and useful. I would trya different set of rows to see what happens:
MODEL, POLICY, PROCEDURE, TOOL. See http://www.multicians.org/thvv/vvcomb.html

The security MODEL is the identification of actors, interests, and relationships: the “piping digram” if you will.

Security POLICY states the goal. That is, what flows we want in the pipes.

There may be many PROCEDUREs but each should be justified by pointing to the policies it supports.

Then we can talk about how the procedures are mechanized by TOOLs.

]]>