Insecure SPICE?
As process engineer I have been recently part of an SPICE (ISO/IEC 15504, Software Process Improvement and Capability dEtermination) assessment [1]. What SPICE is concerned about is the capability provided by the organization’s management and process definition structures. SPICE is not a methodology. Although SPICE sets out a list of activities that might (and should) occur in a software project, it does not set out the order in which such activities should be carried out.
The lack of SPICE is that it is defining processes in process dimensions divided into the five process categories of:
- customer-supplier
- engineering
- supporting
- management
- organization
Since SPICE should be a framework for the assessment of software processes, I asked myself where the processes for the development of secure software are hidden. We should not lcoate it at the customer-sipplier or organizational processes.
In my opinion it should be at least one touch point for the engineering (secure cocde development and QA), management (guidelines) and supporting (patch creation) process domains.
However, this point is missing compared to CMMI [2] efforts. The model SSE-CMM (Systems Security Engineering Capability Maturity Model) describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering [3]. More about SEE-CMM and its real capabilities in an upcoming blog entry.
References
[1] http://www.isospice.com/
[2] http://www.sei.cmu.edu/cmmi/
[3] http://www.sse-cmm.org/
Comments
Leave a Reply