Software Security Framework

Brian Chess and I just published an article on the Software Security Framework displayed below.

Governance Intelligence SDL Touchpoints Deployment
Strategy and Metrics Attack Models Architecture Analysis Penetration Testing
Compliance and Policy Security Features and Design Code Review Software Environment
Training Standards and Requirements Security Testing Configuration Management and Vulnerability Management

Our plan is to use this framework to build a maturity model for software security by interviewing executives running many of the top ten large-scale software security initiatives. Please check out the article, and stay tuned for more.

This entry was posted on Wednesday, October 15th, 2008 at 10:51 am and is filed under Software Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Previous post: What Measures do Software Vendors Use for Software Assurance?
Next post: Web application security versus software security

One Response to “Software Security Framework”

  1. Tom Van Vleck Says:
    January 19th, 2009 at 3:06 pm

    This is good and useful. I would trya different set of rows to see what happens:
    MODEL, POLICY, PROCEDURE, TOOL. See http://www.multicians.org/thvv/vvcomb.html

    The security MODEL is the identification of actors, interests, and relationships: the “piping digram” if you will.

    Security POLICY states the goal. That is, what flows we want in the pipes.

    There may be many PROCEDUREs but each should be justified by pointing to the policies it supports.

    Then we can talk about how the procedures are mechanized by TOOLs.

Leave a Reply