Software Security Framework

Brian Chess and I just published an article on the Software Security Framework displayed below.

Governance Intelligence SDL Touchpoints Deployment
Strategy and Metrics Attack Models Architecture Analysis Penetration Testing
Compliance and Policy Security Features and Design Code Review Software Environment
Training Standards and Requirements Security Testing Configuration Management and Vulnerability Management

Our plan is to use this framework to build a maturity model for software security by interviewing executives running many of the top ten large-scale software security initiatives. Please check out the article, and stay tuned for more.

One Response to “Software Security Framework”

  1. Tom Van Vleck Says:

    This is good and useful. I would trya different set of rows to see what happens:
    MODEL, POLICY, PROCEDURE, TOOL. See http://www.multicians.org/thvv/vvcomb.html

    The security MODEL is the identification of actors, interests, and relationships: the “piping digram” if you will.

    Security POLICY states the goal. That is, what flows we want in the pipes.

    There may be many PROCEDUREs but each should be justified by pointing to the policies it supports.

    Then we can talk about how the procedures are mechanized by TOOLs.

Leave a Reply