SlideShare a Scribd company logo

A Pragmatic Approach to Securing Software Apps with the ASM Model

Security Innovation
Security Innovation

The Application Security Maturity (ASM) model was developed based on over 10 years of data analyzing how organizations approach software security. The ASM model plots organizations on a grid based on their investments in tools/technology and people/processes. Most organizations follow a typical maturity curve through three stages: 1) The Panic Scramble, where organizations react to events with tool purchases but see little impact. 2) The Pit of Despair, where organizations reduce tool usage and ponder next steps. 3) Security as a Core Business Process, where security is integrated throughout the organization with balanced investments in tools/technology and people/processes. The ASM model can help organizations understand their current maturity level and guide investments to accelerate progress along the

Technology
1 of 9
Download to read offline
Application Security Maturity Model (ASM) A Pragmatic Approach to Securing your Software Applications Ed Adams CEO, Security Innovation BOSTON | SEATTLE 187 Ballardvale St. Suite A195 ●Wilmington, MA 01887● Ph: +1.978.694.1008 getsecure@securityinnovation.com● www.securityinnovation.com
November 15, 2010 Table of Contents Introduction ............................................................................................................................................................ 2 Creating the ASM Model ................................................................................................................................................... 2 Technology and Tools (T&T) ......................................................................................................................................... 3 People and Processes (P&P) .............................................................................................................................................. 3 Plotting the Data.................................................................................................................................................................. 4 Understanding the ASM Model...................................................................................................................................... 5 The Panic Scramble ............................................................................................................................... 5 The Pit of Despair .................................................................................................................................. 5 Security as a Core Business Process...................................................................................................... 5 Application Security Maturity Model (ASM) ......................................................................................... 6 Sample ASM model plots (for Large Ecommerce Organization) .......................................................... 7 Using the ASM Model......................................................................................................................................................... 7 Conclusion ................................................................................................................................................................ 8 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 1 www.securityinnovation.com
November 15, 2010 Introduction The Application Security Maturity (ASM) model helps organizations understand where they are in terms of their overall approach to software security. The model was developed by Security Innovation in 2007 from analyzing and plotting over ten year’s worth of data about organizations and their security efforts, in particular their investment in tools, technology, people, and processes. Based on this research, it’s clear that organizations that develop and deploy the most secure software have a high maturity level; further, they only reach maturity through much trial and error, particularly when it comes to purchasing and integrating tools into their software development and information security organizations. By understanding and using the ASM model, organizations can uncover their current maturity level and then understand the most effective course of action to increase this level quickly and pragmatically while introducing as little disruption as possible to their current development process and in-production application management. This goal of this article is to: 1) Understand how the ASM model was created. 2) Learn how the model works and what it can tell you about your organization. 3) Help fine-tune your security-related investments in order to positively impact your software security maturity more quickly Creating the ASM Model The ASM model was developed after analyzing first-hand the software security activities and investments of hundreds of organizations. The initial data input for the model is based on:  Extensive software security research at Florida Institute of Technology (FIT). Led by Dr. James Whittaker, FIT project teams examined the security issues of software development processes as well as the underlying testing procedures and processes that were failing to catch so many critical software bugs. This work began in 1999 and conclusions were drawn from direct exposure to the tools used, developer mindset and skillset, and development processes used.  In-depth consulting engagements with Security Innovation clients. Security Innovation was founded by Dr. Whittaker in 2002, and since its inception, has expanded on the initial FIT research. The company’s staff of security experts has helped understand, assess, and classify thousands of software bugs. Its employees have written books and created methodologies adopted by leading software developers. As with the initial FIT research, the knowledge and expertise from Security Innovation staff is from real-world experience.  Detailed analysis of data collected via interviews and SDLC (software development lifecycle) assessments. This data was collected at over 200 organizations, many of whom are Fortune or Global 500 companies. Interview data was validated and expanded upon by direct inspection and inquisition of tools, systems, and staff. In each case, baseline metrics were defined and tracked over time – in some companies for as little as 12 months, in most over a span of 3-5 years.  The combined ten-year experience of the Security Innovation team and its academic predecessor means that we have access to – and continually generate – a wealth of information about how organizations approach the software security challenge. By analyzing all of our primary data, it became evident that there are two critical categories of investments that can 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 2 www.securityinnovation.com
November 15, 2010 impact how well any company meets the challenge. Technology and Tools (T&T) These investments include the various software tools and applications an organization licenses or acquires to secure software during all stages of the software development life cycle (SDLC), from creating application or system requirements through final deployment. This is typically the area where most organizations, when faced with the threat of a security breach or looming regulatory pressures, first invest their dollars. Specific investment in this area includes tools for:  Version control  Source code scanning  Defect Management  Test Automation  Web Security vulnerability scanning  Application-layer security mitigation (e.g., a Web application firewall) In each area above, organizations were analyzed for both depth and breadth of application. For example, in source code scanning, organizations were examined on several factors, including:  Does the organization utilize source code scanning tools?  If so, are there security source code scanning tools in place?  How and where are the source code tools used, e.g., on developers’ desktops, at check-in or build time, continuous integration, at a single clearinghouse/ “gatekeeper” station prior to deployment? Who uses the source code scanning tools, e.g., security architects, developers, testers/QA, information security officer/analyst, etc. People and Processes (P&P) Investments in this area include the hiring of security staff, ongoing training programs, and improvements to the SDLC specifically for enhancing code or application security. While the typical reaction to real, perceived, or potential security threats is a tool-buying spree, over time companies learn to invest in improving security deeper in the organization by making investments in P&P, which almost always pay higher dividends than an investment in tools. Specific examples of investment in this area include:  Secure SDLC activities for development teams at each phase, e.g., design, code, test, et al.  Training (both technical and awareness)  Internal “Red Teams” (playing the role of attacker)  Third-party security reviews (at code and as-built layers)  Application security auditing  Integration of Application Security with Risk Management practices Just as we did with T&T, each P&P area is analyzed and explored in depth and breadth. The resulting database had over 10,000 data points that were sorted, normalized, and compared to extract trend lines 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 3 www.securityinnovation.com
November 15, 2010 and conduct point-in-time analyses. Note that having invested in all of the specifics outlined above – essentially a laundry list of security best practices – in both the T&T and P&P categories would indicate a very high security maturity level for an organization, and high maturity is the goal if and only if the investment is coupled with the culture change necessary to integrate the investments as part of operational business. Therefore, it is not a simple matter of picking and choosing a handful of investments to make in each category. Rather, it is a journey that leads organizations to eventually understand the benefit of funding and implementing the T&T and P&P investments mentioned above. Once you have built your policies, constructed your corporate secure coding standards and provided procedures for implementation, you need to give your people the training they need to implement correctly. Training should not be limited to technical training for your development team – managers, business analysts, and internal auditors or security assessors also need to be trained. A good curriculum will include 100-level “awareness” training as well as 200- and 300-level courses for each role, such as Manager, Business Analyst, Architect or Developer. Plotting the Data Understanding these two critical elements led us to plot organizations according to these two criteria. Using a standard 4x4 grid, with the left corner (the origin) representing “low,” and the top left and bottom right corners representing “high,” we plotted an organization’s investment in Technology & Tools on the vertical Y axis and its investment in People & Processes on the horizontal, X axis. The grid was populated from information we knew directly about organizations and their security investments. For example, to be plotted, we had to be able to determine an organization’s investment for both T&T and P&P based on our scale. From this information, we were able to:  Plot organizations over time (multiple data points). By working with an organization for an extended period of time, we were able to plot its evolution in terms of the two primary axes of the ASM model. This organization-normalized curve mirrored the generalized (all organizations) curve mentioned below.  Plot individual companies (single data points). We could plot each company we worked with according to the two major axes of the model. While a single point does not enable us to create a company-specific progression, it does help us validate an overall curve.  Determine the ASM curve (all data points). Using the information we had from companies both over time and at a point in time, a predictable ASM curve developed. This curve reliably predicts where organizations are along the curve and their likely future course of action. While the ASM model and the typical maturity curve provide great insight for organizations to understand and alter their security investments, there are some caveats of the model that should be taken into consideration:  The model is based upon organizations that have asked us for help, so by definition (going to a third-party source for help), they are already more aware and mature than an organization just starting its ASM journey.  Companies may not follow the path directly, though evidence suggests that most companies will 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 4 www.securityinnovation.com
November 15, 2010 adhere to the basic curve unless they have actively decided to influence it in a severe fashion by specific investments (or panic.) Understanding the ASM Model The ASM Model has three distinct phases based on a company’s investment in Tools & Technology and People & Processes. The phases are: The Panic Scramble, The Pit of Despair, and Security as a Core Business Process. The Panic Scramble Most immature organizations are in this stage. They start their security journey by responding to some event, perhaps a loss of confidential data, a Web site breach, or the discovery of a network intruder. They may also enter this stage as a response to external events, such as a very public security breach at a competitor or media reports of massive data losses. Another potential catalyst is a new government or industry regulation. Organizations that have found themselves in the Panic Scramble respond to the immediate security issues by spending money on software security tools and technologies that hold the promise of immediate impact to mitigate the perceived or real threat. However, such an investment without the requisite investment in P&P usually provides little overall return and limited security improvements; in fact, many times, tools become “shelfware” sitting unused because the developer or information security professional doesn’t know how to use them or what to do with the results the tool generates, leading to the second stage. The Pit of Despair After a relatively brief period of panic, companies revisit their security investments and find the money they have spent has had only a minor impact on their security. A few areas of the company may have benefited from the efforts, but overall, security is not pervasive in either the IT or business aspects of the organization. The organization becomes security depressed as it bemoans T&T investment and languishes while pondering what to do next. During this stage, organizations often see a reduction in tools usage as they try to figure out how to best leverage the investment made or rethink it altogether. Typically at this stage they do begin to invest in staff training, improved processes, and utilization of security experts to help with planning and assessments. However, they also tend to lower their budget on the tools and technology side. Without major returns, and faced with continual threats, companies will remain in this stage until a major security mind shift occurs. As procedures are detailed and driven by new security awareness and requirements, senior business and IT staff finally begin to understand the critical need to invest in long- term and company-wide security hygiene. Often after enlisting the help of third-party firms, such as consultants or security auditors, or being burned by a data breach – they move to the final stage. Security as a Core Business Process Having made the important shift to understanding security as core to a successful business, organizations will begin to devote more budget (but more importantly time and focus) to the software tools required to ensure secure code in all phases of the software development life cycle, the training 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 5 www.securityinnovation.com
November 15, 2010 needed to educate developers and other non-IT employees, and the enhanced processes that bake security into all business and IT activities. Application Security Maturity Model (ASM) The ASM Model graphic above depicts a typical path an organization may take. Time is overlaid left-to-right and the speed at which an organization passes along this curve varies with their awareness, investments, and success of adopting new processes. Also, an organization’s Pit of Despair may be deeper or elongated if they have difficulty adopting and integrating new tools and process. The duration of each stage and the slope of the curve can vary depending on many factors, including:  The influence of security-minded executives. In many cases, business or IT executives can drive the move to the third stage quicker than it would happen normally. For example, an incoming executive that has already seen the value of being in Stage 3 in a previous company can often reduce the duration of the earlier stages and help the organization avoid common pitfalls.  The use of third-party consultants and service providers. The primary research for the ASM model was based on direct interaction with organizations that have made the decision to employ external security experts. These experts can demonstrate the value of more quickly embracing security as a core business process.  Seeing security as a competitive advantage. Some firms have chosen to embrace a pervasive security approach with its required increased investment in order to differentiate themselves from competitors with a more lackadaisical approach to security. 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 6 www.securityinnovation.com
November 15, 2010 Sample ASM model plots (for Large Ecommerce Organization) Using the ASM Model Organizations can leverage the ASM Model to: • Determine their current location along the ASM curve. Just knowing where an organization falls on the curve is a critical first step to understanding and improving overall security. With knowledge of where the company falls, the company can understand. • How it compares to others – either competitors or best-of-breed companies • Its likely ASM path • The time frame expected for the stage it is in • Their investment ratio • Circumvent the traditional curve to accelerate activities. By understanding their current location, companies can then decide how to influence their own curve. For example, a CIO may aggressively avoid the Pit of Despair stage by embracing the proper mix of investments in tools, technology, people, and processes. That CIO may use the graph – and the organization’s current plot – to help influence security investments, demonstrating the potential changes to curves as a result of too little or too late investment in all aspects of security. • Chart the ASM path along the curve over time. A critical aspect of any security program is auditing systems, and charting the progress of the organization’s dedication to security should also be undertaken. By periodically plotting the company’s location on the ASM Model, a company can track its improvements as well as its efforts in relation to the average curve. 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 7 www.securityinnovation.com
November 15, 2010 The easiest way to begin is with a self-assessment. Ask yourself where your organization is with respect to the T&T and P&P analysis areas: 1. Version control 2. Source code scanning 3. Defect Management 4. Test Automation 5. Web Security vulnerability scanning 6. Application-layer security mitigation (e.g., a Web application firewall) 7. Secure SDLC activities for development teams at each phase, e.g., design, code, test, et al. 8. Training (both technical and awareness) 9. Internal “Red Teams” (playing the role of attacker) 10. Third-party security reviews (at code and as-built layers) 11. Application security auditing 12. Integration of Application Security with Risk Management practices For each area, ask both the “IS” and the “HOW” questions. For example, is your organization using test automation tools and, if so, how are they being used. And then dive one layer deeper and ask how it applies directly to your organizations’ security and data protection objectives. Even this simple exercise will likely uncover some stagnant investments and need for awareness improvement. Conclusion Understanding your Application Security Maturity level is critical to understanding your overall IT security posture and accurately assessing your data protection initiatives. Many people don’t realize that applications and servers are responsible for over 90% of all security vulnerabilities; yet, more than 80% of IT security spend continues to be at the network or perimeter layer. There is no shortage of data points and industry studies that document this dangerous phenomenon; however, there are very few resources that give you practical advice on what to do about it. The ASM Model can be your first steps down that road. 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 8 www.securityinnovation.com

Recommended

10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITYRazorpoint Security
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
Edgilis principles of isa may11
Edgilis principles of isa may11Edgilis principles of isa may11
Edgilis principles of isa may11Max Armbruster
 
Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1pk4
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityRahul Tyagi
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slidesSteve Arnold
 
Ciso organizational priorities to build a resilient bimodal it
Ciso organizational priorities to build a resilient bimodal itCiso organizational priorities to build a resilient bimodal it
Ciso organizational priorities to build a resilient bimodal itChandra Sekhar Tondepu
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security RisksChris Ross
 

Recommended

10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITYRazorpoint Security
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
Edgilis principles of isa may11
Edgilis principles of isa may11Edgilis principles of isa may11
Edgilis principles of isa may11Max Armbruster
 
Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1pk4
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityRahul Tyagi
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slidesSteve Arnold
 
Ciso organizational priorities to build a resilient bimodal it
Ciso organizational priorities to build a resilient bimodal itCiso organizational priorities to build a resilient bimodal it
Ciso organizational priorities to build a resilient bimodal itChandra Sekhar Tondepu
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security RisksChris Ross
 
Security operations center inhouse vs outsource
Security operations center inhouse vs outsourceSecurity operations center inhouse vs outsource
Security operations center inhouse vs outsourceNetmagic Solutions Pvt. Ltd.
 
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSIJMIT JOURNAL
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity OverviewBrian Matteson, CISSP CISA
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for JavaTim Ellison
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?John Gardner, CMC
 
A model based security requirements engineering framework
A model based security requirements engineering frameworkA model based security requirements engineering framework
A model based security requirements engineering frameworkIAEME Publication
 
A model based security requirements engineering framework
A model based security requirements engineering frameworkA model based security requirements engineering framework
A model based security requirements engineering frameworkiaemedu
 
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...EMC
 
Information Security
Information SecurityInformation Security
Information Securitydivyeshkharade
 
PROPOSING SECURITY REQUIREMENT PRIORITIZATION FRAMEWORK
PROPOSING SECURITY REQUIREMENT PRIORITIZATION FRAMEWORKPROPOSING SECURITY REQUIREMENT PRIORITIZATION FRAMEWORK
PROPOSING SECURITY REQUIREMENT PRIORITIZATION FRAMEWORKIJCSEA Journal
 
Intelligent security operations a staffing guide
Intelligent security operations a staffing guideIntelligent security operations a staffing guide
Intelligent security operations a staffing guideColleen Johnson
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests Bo Birdwell
 
Car Cybersecurity: What do Automakers Really Think?
Car Cybersecurity: What do Automakers Really Think?Car Cybersecurity: What do Automakers Really Think?
Car Cybersecurity: What do Automakers Really Think?Security Innovation
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
Pengenalan Keamanan Sistem IT
Pengenalan Keamanan Sistem ITPengenalan Keamanan Sistem IT
Pengenalan Keamanan Sistem ITMark Thalib
 
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...InnoTech
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 

More Related Content

What's hot

ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSIJMIT JOURNAL
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for JavaTim Ellison
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?John Gardner, CMC
 
A model based security requirements engineering framework
A model based security requirements engineering frameworkA model based security requirements engineering framework
A model based security requirements engineering frameworkIAEME Publication
 
A model based security requirements engineering framework
A model based security requirements engineering frameworkA model based security requirements engineering framework
A model based security requirements engineering frameworkiaemedu
 
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...EMC
 
PROPOSING SECURITY REQUIREMENT PRIORITIZATION FRAMEWORK
PROPOSING SECURITY REQUIREMENT PRIORITIZATION FRAMEWORKPROPOSING SECURITY REQUIREMENT PRIORITIZATION FRAMEWORK
PROPOSING SECURITY REQUIREMENT PRIORITIZATION FRAMEWORKIJCSEA Journal
 
Intelligent security operations a staffing guide
Intelligent security operations a staffing guideIntelligent security operations a staffing guide
Intelligent security operations a staffing guideColleen Johnson
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests Bo Birdwell
 

What's hot (17)

Security operations center inhouse vs outsource
Security operations center inhouse vs outsourceSecurity operations center inhouse vs outsource
Security operations center inhouse vs outsource
 
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for Java
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?
 
A model based security requirements engineering framework
A model based security requirements engineering frameworkA model based security requirements engineering framework
A model based security requirements engineering framework
 
A model based security requirements engineering framework
A model based security requirements engineering frameworkA model based security requirements engineering framework
A model based security requirements engineering framework
 
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
 
Information Security
Information SecurityInformation Security
Information Security
 
PROPOSING SECURITY REQUIREMENT PRIORITIZATION FRAMEWORK
PROPOSING SECURITY REQUIREMENT PRIORITIZATION FRAMEWORKPROPOSING SECURITY REQUIREMENT PRIORITIZATION FRAMEWORK
PROPOSING SECURITY REQUIREMENT PRIORITIZATION FRAMEWORK
 
Intelligent security operations a staffing guide
Intelligent security operations a staffing guideIntelligent security operations a staffing guide
Intelligent security operations a staffing guide
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing Processes
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
 
Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests
 

Viewers also liked

Car Cybersecurity: What do Automakers Really Think?
Car Cybersecurity: What do Automakers Really Think?Car Cybersecurity: What do Automakers Really Think?
Car Cybersecurity: What do Automakers Really Think?Security Innovation
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
Pengenalan Keamanan Sistem IT
Pengenalan Keamanan Sistem ITPengenalan Keamanan Sistem IT
Pengenalan Keamanan Sistem ITMark Thalib
 
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...InnoTech
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSAcourses
 
Emergence and transformation of digital utilities in the “smart” era
Emergence and transformation of digital utilities in the “smart” era Emergence and transformation of digital utilities in the “smart” era
Emergence and transformation of digital utilities in the “smart” era Capgemini
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information SecurityJohn Macasio
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 

Viewers also liked (20)

Car Cybersecurity: What do Automakers Really Think?
Car Cybersecurity: What do Automakers Really Think?Car Cybersecurity: What do Automakers Really Think?
Car Cybersecurity: What do Automakers Really Think?
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security Architecture
 
Pengenalan Keamanan Sistem IT
Pengenalan Keamanan Sistem ITPengenalan Keamanan Sistem IT
Pengenalan Keamanan Sistem IT
 
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0
 
SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0
 
SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0
 
SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes Profiling
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0
 
Emergence and transformation of digital utilities in the “smart” era
Emergence and transformation of digital utilities in the “smart” era Emergence and transformation of digital utilities in the “smart” era
Emergence and transformation of digital utilities in the “smart” era
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information Security
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 

Similar to A Pragmatic Approach to Securing Software Apps with the ASM Model

The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019Ulf Mattsson
 
Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013
Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013
Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013drewz lin
 
Building an Intelligence-Driven Security Operations Center
Building an Intelligence-Driven Security Operations CenterBuilding an Intelligence-Driven Security Operations Center
Building an Intelligence-Driven Security Operations CenterEMC
 
Advisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docxAdvisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docxkatherncarlyle
 
Advisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docxAdvisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docxdaniahendric
 
Open group spc rosenthal v3
Open group spc rosenthal v3Open group spc rosenthal v3
Open group spc rosenthal v3City of Toronto
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesIJNSA Journal
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) Priyanka Aash
 
How To Select Security Orchestration Vendor
How To Select Security Orchestration VendorHow To Select Security Orchestration Vendor
How To Select Security Orchestration VendorSiemplify
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Discussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxDiscussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxelinoraudley582231
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESIJNSA Journal
 

Similar to A Pragmatic Approach to Securing Software Apps with the ASM Model (20)

The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Eng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestEng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-Latest
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019
 
Safeguarding the Enterprise
Safeguarding the EnterpriseSafeguarding the Enterprise
Safeguarding the Enterprise
 
Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013
Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013
Ast 0079872 1505924-esg_wp_rsa_big_data_and_security_analytics_jan_2013
 
Security operations center inhouse vs outsource
Security operations center inhouse vs outsourceSecurity operations center inhouse vs outsource
Security operations center inhouse vs outsource
 
Building an Intelligence-Driven Security Operations Center
Building an Intelligence-Driven Security Operations CenterBuilding an Intelligence-Driven Security Operations Center
Building an Intelligence-Driven Security Operations Center
 
Advisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docxAdvisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docx
 
Advisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docxAdvisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docx
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14
 
Open group spc rosenthal v3
Open group spc rosenthal v3Open group spc rosenthal v3
Open group spc rosenthal v3
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
How To Select Security Orchestration Vendor
How To Select Security Orchestration VendorHow To Select Security Orchestration Vendor
How To Select Security Orchestration Vendor
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Discussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxDiscussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docx
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

A Pragmatic Approach to Securing Software Apps with the ASM Model

  • 1. Application Security Maturity Model (ASM) A Pragmatic Approach to Securing your Software Applications Ed Adams CEO, Security Innovation BOSTON | SEATTLE 187 Ballardvale St. Suite A195 ●Wilmington, MA 01887● Ph: +1.978.694.1008 getsecure@securityinnovation.com● www.securityinnovation.com
  • 2. November 15, 2010 Table of Contents Introduction ............................................................................................................................................................ 2 Creating the ASM Model ................................................................................................................................................... 2 Technology and Tools (T&T) ......................................................................................................................................... 3 People and Processes (P&P) .............................................................................................................................................. 3 Plotting the Data.................................................................................................................................................................. 4 Understanding the ASM Model...................................................................................................................................... 5 The Panic Scramble ............................................................................................................................... 5 The Pit of Despair .................................................................................................................................. 5 Security as a Core Business Process...................................................................................................... 5 Application Security Maturity Model (ASM) ......................................................................................... 6 Sample ASM model plots (for Large Ecommerce Organization) .......................................................... 7 Using the ASM Model......................................................................................................................................................... 7 Conclusion ................................................................................................................................................................ 8 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 1 www.securityinnovation.com
  • 3. November 15, 2010 Introduction The Application Security Maturity (ASM) model helps organizations understand where they are in terms of their overall approach to software security. The model was developed by Security Innovation in 2007 from analyzing and plotting over ten year’s worth of data about organizations and their security efforts, in particular their investment in tools, technology, people, and processes. Based on this research, it’s clear that organizations that develop and deploy the most secure software have a high maturity level; further, they only reach maturity through much trial and error, particularly when it comes to purchasing and integrating tools into their software development and information security organizations. By understanding and using the ASM model, organizations can uncover their current maturity level and then understand the most effective course of action to increase this level quickly and pragmatically while introducing as little disruption as possible to their current development process and in-production application management. This goal of this article is to: 1) Understand how the ASM model was created. 2) Learn how the model works and what it can tell you about your organization. 3) Help fine-tune your security-related investments in order to positively impact your software security maturity more quickly Creating the ASM Model The ASM model was developed after analyzing first-hand the software security activities and investments of hundreds of organizations. The initial data input for the model is based on:  Extensive software security research at Florida Institute of Technology (FIT). Led by Dr. James Whittaker, FIT project teams examined the security issues of software development processes as well as the underlying testing procedures and processes that were failing to catch so many critical software bugs. This work began in 1999 and conclusions were drawn from direct exposure to the tools used, developer mindset and skillset, and development processes used.  In-depth consulting engagements with Security Innovation clients. Security Innovation was founded by Dr. Whittaker in 2002, and since its inception, has expanded on the initial FIT research. The company’s staff of security experts has helped understand, assess, and classify thousands of software bugs. Its employees have written books and created methodologies adopted by leading software developers. As with the initial FIT research, the knowledge and expertise from Security Innovation staff is from real-world experience.  Detailed analysis of data collected via interviews and SDLC (software development lifecycle) assessments. This data was collected at over 200 organizations, many of whom are Fortune or Global 500 companies. Interview data was validated and expanded upon by direct inspection and inquisition of tools, systems, and staff. In each case, baseline metrics were defined and tracked over time – in some companies for as little as 12 months, in most over a span of 3-5 years.  The combined ten-year experience of the Security Innovation team and its academic predecessor means that we have access to – and continually generate – a wealth of information about how organizations approach the software security challenge. By analyzing all of our primary data, it became evident that there are two critical categories of investments that can 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 2 www.securityinnovation.com
  • 4. November 15, 2010 impact how well any company meets the challenge. Technology and Tools (T&T) These investments include the various software tools and applications an organization licenses or acquires to secure software during all stages of the software development life cycle (SDLC), from creating application or system requirements through final deployment. This is typically the area where most organizations, when faced with the threat of a security breach or looming regulatory pressures, first invest their dollars. Specific investment in this area includes tools for:  Version control  Source code scanning  Defect Management  Test Automation  Web Security vulnerability scanning  Application-layer security mitigation (e.g., a Web application firewall) In each area above, organizations were analyzed for both depth and breadth of application. For example, in source code scanning, organizations were examined on several factors, including:  Does the organization utilize source code scanning tools?  If so, are there security source code scanning tools in place?  How and where are the source code tools used, e.g., on developers’ desktops, at check-in or build time, continuous integration, at a single clearinghouse/ “gatekeeper” station prior to deployment? Who uses the source code scanning tools, e.g., security architects, developers, testers/QA, information security officer/analyst, etc. People and Processes (P&P) Investments in this area include the hiring of security staff, ongoing training programs, and improvements to the SDLC specifically for enhancing code or application security. While the typical reaction to real, perceived, or potential security threats is a tool-buying spree, over time companies learn to invest in improving security deeper in the organization by making investments in P&P, which almost always pay higher dividends than an investment in tools. Specific examples of investment in this area include:  Secure SDLC activities for development teams at each phase, e.g., design, code, test, et al.  Training (both technical and awareness)  Internal “Red Teams” (playing the role of attacker)  Third-party security reviews (at code and as-built layers)  Application security auditing  Integration of Application Security with Risk Management practices Just as we did with T&T, each P&P area is analyzed and explored in depth and breadth. The resulting database had over 10,000 data points that were sorted, normalized, and compared to extract trend lines 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 3 www.securityinnovation.com
  • 5. November 15, 2010 and conduct point-in-time analyses. Note that having invested in all of the specifics outlined above – essentially a laundry list of security best practices – in both the T&T and P&P categories would indicate a very high security maturity level for an organization, and high maturity is the goal if and only if the investment is coupled with the culture change necessary to integrate the investments as part of operational business. Therefore, it is not a simple matter of picking and choosing a handful of investments to make in each category. Rather, it is a journey that leads organizations to eventually understand the benefit of funding and implementing the T&T and P&P investments mentioned above. Once you have built your policies, constructed your corporate secure coding standards and provided procedures for implementation, you need to give your people the training they need to implement correctly. Training should not be limited to technical training for your development team – managers, business analysts, and internal auditors or security assessors also need to be trained. A good curriculum will include 100-level “awareness” training as well as 200- and 300-level courses for each role, such as Manager, Business Analyst, Architect or Developer. Plotting the Data Understanding these two critical elements led us to plot organizations according to these two criteria. Using a standard 4x4 grid, with the left corner (the origin) representing “low,” and the top left and bottom right corners representing “high,” we plotted an organization’s investment in Technology & Tools on the vertical Y axis and its investment in People & Processes on the horizontal, X axis. The grid was populated from information we knew directly about organizations and their security investments. For example, to be plotted, we had to be able to determine an organization’s investment for both T&T and P&P based on our scale. From this information, we were able to:  Plot organizations over time (multiple data points). By working with an organization for an extended period of time, we were able to plot its evolution in terms of the two primary axes of the ASM model. This organization-normalized curve mirrored the generalized (all organizations) curve mentioned below.  Plot individual companies (single data points). We could plot each company we worked with according to the two major axes of the model. While a single point does not enable us to create a company-specific progression, it does help us validate an overall curve.  Determine the ASM curve (all data points). Using the information we had from companies both over time and at a point in time, a predictable ASM curve developed. This curve reliably predicts where organizations are along the curve and their likely future course of action. While the ASM model and the typical maturity curve provide great insight for organizations to understand and alter their security investments, there are some caveats of the model that should be taken into consideration:  The model is based upon organizations that have asked us for help, so by definition (going to a third-party source for help), they are already more aware and mature than an organization just starting its ASM journey.  Companies may not follow the path directly, though evidence suggests that most companies will 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 4 www.securityinnovation.com
  • 6. November 15, 2010 adhere to the basic curve unless they have actively decided to influence it in a severe fashion by specific investments (or panic.) Understanding the ASM Model The ASM Model has three distinct phases based on a company’s investment in Tools & Technology and People & Processes. The phases are: The Panic Scramble, The Pit of Despair, and Security as a Core Business Process. The Panic Scramble Most immature organizations are in this stage. They start their security journey by responding to some event, perhaps a loss of confidential data, a Web site breach, or the discovery of a network intruder. They may also enter this stage as a response to external events, such as a very public security breach at a competitor or media reports of massive data losses. Another potential catalyst is a new government or industry regulation. Organizations that have found themselves in the Panic Scramble respond to the immediate security issues by spending money on software security tools and technologies that hold the promise of immediate impact to mitigate the perceived or real threat. However, such an investment without the requisite investment in P&P usually provides little overall return and limited security improvements; in fact, many times, tools become “shelfware” sitting unused because the developer or information security professional doesn’t know how to use them or what to do with the results the tool generates, leading to the second stage. The Pit of Despair After a relatively brief period of panic, companies revisit their security investments and find the money they have spent has had only a minor impact on their security. A few areas of the company may have benefited from the efforts, but overall, security is not pervasive in either the IT or business aspects of the organization. The organization becomes security depressed as it bemoans T&T investment and languishes while pondering what to do next. During this stage, organizations often see a reduction in tools usage as they try to figure out how to best leverage the investment made or rethink it altogether. Typically at this stage they do begin to invest in staff training, improved processes, and utilization of security experts to help with planning and assessments. However, they also tend to lower their budget on the tools and technology side. Without major returns, and faced with continual threats, companies will remain in this stage until a major security mind shift occurs. As procedures are detailed and driven by new security awareness and requirements, senior business and IT staff finally begin to understand the critical need to invest in long- term and company-wide security hygiene. Often after enlisting the help of third-party firms, such as consultants or security auditors, or being burned by a data breach – they move to the final stage. Security as a Core Business Process Having made the important shift to understanding security as core to a successful business, organizations will begin to devote more budget (but more importantly time and focus) to the software tools required to ensure secure code in all phases of the software development life cycle, the training 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 5 www.securityinnovation.com
  • 7. November 15, 2010 needed to educate developers and other non-IT employees, and the enhanced processes that bake security into all business and IT activities. Application Security Maturity Model (ASM) The ASM Model graphic above depicts a typical path an organization may take. Time is overlaid left-to-right and the speed at which an organization passes along this curve varies with their awareness, investments, and success of adopting new processes. Also, an organization’s Pit of Despair may be deeper or elongated if they have difficulty adopting and integrating new tools and process. The duration of each stage and the slope of the curve can vary depending on many factors, including:  The influence of security-minded executives. In many cases, business or IT executives can drive the move to the third stage quicker than it would happen normally. For example, an incoming executive that has already seen the value of being in Stage 3 in a previous company can often reduce the duration of the earlier stages and help the organization avoid common pitfalls.  The use of third-party consultants and service providers. The primary research for the ASM model was based on direct interaction with organizations that have made the decision to employ external security experts. These experts can demonstrate the value of more quickly embracing security as a core business process.  Seeing security as a competitive advantage. Some firms have chosen to embrace a pervasive security approach with its required increased investment in order to differentiate themselves from competitors with a more lackadaisical approach to security. 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 6 www.securityinnovation.com
  • 8. November 15, 2010 Sample ASM model plots (for Large Ecommerce Organization) Using the ASM Model Organizations can leverage the ASM Model to: • Determine their current location along the ASM curve. Just knowing where an organization falls on the curve is a critical first step to understanding and improving overall security. With knowledge of where the company falls, the company can understand. • How it compares to others – either competitors or best-of-breed companies • Its likely ASM path • The time frame expected for the stage it is in • Their investment ratio • Circumvent the traditional curve to accelerate activities. By understanding their current location, companies can then decide how to influence their own curve. For example, a CIO may aggressively avoid the Pit of Despair stage by embracing the proper mix of investments in tools, technology, people, and processes. That CIO may use the graph – and the organization’s current plot – to help influence security investments, demonstrating the potential changes to curves as a result of too little or too late investment in all aspects of security. • Chart the ASM path along the curve over time. A critical aspect of any security program is auditing systems, and charting the progress of the organization’s dedication to security should also be undertaken. By periodically plotting the company’s location on the ASM Model, a company can track its improvements as well as its efforts in relation to the average curve. 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 7 www.securityinnovation.com
  • 9. November 15, 2010 The easiest way to begin is with a self-assessment. Ask yourself where your organization is with respect to the T&T and P&P analysis areas: 1. Version control 2. Source code scanning 3. Defect Management 4. Test Automation 5. Web Security vulnerability scanning 6. Application-layer security mitigation (e.g., a Web application firewall) 7. Secure SDLC activities for development teams at each phase, e.g., design, code, test, et al. 8. Training (both technical and awareness) 9. Internal “Red Teams” (playing the role of attacker) 10. Third-party security reviews (at code and as-built layers) 11. Application security auditing 12. Integration of Application Security with Risk Management practices For each area, ask both the “IS” and the “HOW” questions. For example, is your organization using test automation tools and, if so, how are they being used. And then dive one layer deeper and ask how it applies directly to your organizations’ security and data protection objectives. Even this simple exercise will likely uncover some stagnant investments and need for awareness improvement. Conclusion Understanding your Application Security Maturity level is critical to understanding your overall IT security posture and accurately assessing your data protection initiatives. Many people don’t realize that applications and servers are responsible for over 90% of all security vulnerabilities; yet, more than 80% of IT security spend continues to be at the network or perimeter layer. There is no shortage of data points and industry studies that document this dangerous phenomenon; however, there are very few resources that give you practical advice on what to do about it. The ASM Model can be your first steps down that road. 187 Ballardvale St. • Wilmington, MA 01887 Ph: (978) 694-1008 • F: (978) 694-1666 Page 8 www.securityinnovation.com