Application security is important for so many reasons. Now we know that many applications that we’re using during a work day were built before cybercrime was such a “profession” or a “temptation”. Some of our customers are systematically looking at every application that could potentially expose their organization to unnecessary risk and “retrofitting” those applications. Our friend, Warren Axelrod, a long time crusader for safer applications told us about a report that shines a much needed light on secure application development and testing. Here’s a summary of the report and directions on how you can get a FREE copy.
From the desk of Warren Axelrod: On March 4, 2009, an eminent team of application security experts published the “Build Security In Maturity Model” report, which is available free at http://bsi-mm.com/ The authors, Gary McGraw, Sammy Migues and Brian Chess, are well known for their pioneering work and many publications in secure application development and testing. The report describes the results of a survey they conducted among nine companies with leading-edge application security practices and how they matched against a framework and maturity model that the authors had developed. There will be many lessons to be learned from this report, among them being the practices to which practically all of the leaders subscribed. These practices, in abbreviated form, are:
· Build support throughout the organization
· Meet regulatory needs or customer demand with a unified approach
· Promote culture of security throughout the organization
· See yourself in the problem
· Create proactive security guidance around security features
· Build internal capability on security architecture
· Use encapsulated attacker perspective
· Demonstrate that organization’s code needs help
· Provide a solid host/network foundation for software
· Understand the organization’s history
· Meet demand for security features
· Review high-risk applications opportunistically
· Use operations data to change development behavior
While we must not pretend that every organization can or even should achieve excellence in each of these key areas, it serves us well to know what others are doing with respect to application security, particularly when going for those budget dollars. Why not present your manager with a copy of the report and let him or her know that you are ready, willing and able to have your organization rank among the best in the business when it comes to secure software?
Nice Post I already digged this
Posted by: cheap accommodation thailand | November 09, 2009 at 12:55 AM