Microsoft Security Risk Management Guide - Worth a look?

February 27, 2008 · Filed Under Lead Article, Secure Software Engineering · Comment 

The Security Risk Management Guide by Microsoft assists to place a plan for security risk management. This guide is technology agnostic and references many industry accepted standards for managing security risk.

Read more

Sphere: Related Content

Tags: , ,

How secure is SSE-CMM?

February 19, 2008 · Filed Under Featured Article, Secure Software Engineering · 1 Comment 

Let us cite from the SSE-CMM website:The SSE-CMM (The Systems Security Engineering Capability Maturity Model) [1] describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering. The model is intended to be used as a:

  • Tool for engineering organizations to evaluate security engineering practices and define improvements to them.
  • Standard mechanism for customers to evaluate a provider’s security engineering capability.
  • Basis for security engineering evaluation organization (e.g., system certifiers and product evaluators) to establish organization capability-based confidences (as an ingredient to system or project security assurance).

Read more

Sphere: Related Content

Tags: , , , ,

Insecure SPICE?

February 18, 2008 · Filed Under Featured Article, Secure Software Engineering · Comment 

SPICE (ISO/IEC 15504, Software Process Improvement and Capability dEtermination)

As process engineer I have been recently part of an SPICE (ISO/IEC 15504, Software Process Improvement and Capability dEtermination) assessment [1]. What SPICE is concerned about is the capability provided by the organization’s management and process definition structures. SPICE is not a methodology. Although SPICE sets out a list of activities that might (and should) occur in a software project, it does not set out the order in which such activities should be carried out.

The lack of SPICE is that it is defining processes in process dimensions divided into the five process categories of:

  • customer-supplier
  • engineering
  • supporting
  • management
  • organization

Since SPICE should be a framework for the assessment of software processes, I asked myself where the processes for the development of secure software are hidden. We should not lcoate it at the customer-sipplier or organizational processes.

In my opinion it should be at least one touch point for the engineering (secure cocde development and QA), management (guidelines) and supporting (patch creation) process domains.

However, this point is missing compared to CMMI [2] efforts. The model SSE-CMM (Systems Security Engineering Capability Maturity Model) describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering [3]. More about SEE-CMM and its real capabilities in an upcoming blog entry.

References

[1] http://www.isospice.com/
[2] http://www.sei.cmu.edu/cmmi/
[3] http://www.sse-cmm.org/

Sphere: Related Content

Tags: , , , , , , ,

IT Security Training | Computer Security Training | Network Security Audit | Software IT Audit | Security Audit Training