Software Security Framework
Brian Chess and I just published an article on the Software Security Framework displayed below.
| Governance | Intelligence | SDL Touchpoints | Deployment |
|---|---|---|---|
| Strategy and Metrics | Attack Models | Architecture Analysis | Penetration Testing |
| Compliance and Policy | Security Features and Design | Code Review | Software Environment |
| Training | Standards and Requirements | Security Testing | Configuration Management and Vulnerability Management |
Our plan is to use this framework to build a maturity model for software security by interviewing executives running many of the top ten large-scale software security initiatives. Please check out the article, and stay tuned for more.
January 19th, 2009 at 3:06 pm
This is good and useful. I would trya different set of rows to see what happens:
MODEL, POLICY, PROCEDURE, TOOL. See http://www.multicians.org/thvv/vvcomb.html
The security MODEL is the identification of actors, interests, and relationships: the “piping digram” if you will.
Security POLICY states the goal. That is, what flows we want in the pipes.
There may be many PROCEDUREs but each should be justified by pointing to the policies it supports.
Then we can talk about how the procedures are mechanized by TOOLs.
April 16th, 2010 at 2:12 pm
Can you explain the difference between framework and model
April 16th, 2010 at 3:46 pm
Hi Tilly,
The Framework is very much like a grid in Archeology. Think of it as conceptual stakes and string defining “squares” where we discover (or observe) activities. You can read about the Framework and why we built it here: http://www.informit.com/articles/article.aspx?p=1271382
The Model is the actual observed data. You should read the BSIMM itself for that which you can find here: http://bsi-mm.com/
The BSIMM itself is infinitely more important than the Framework.
Hope that helps.
gem