While a current-state measurement, such as the Building Security In Maturity Model (BSIMM) shows you what you’re doing. MAP helps you set objectives, outline a strategy to get from where you are today to your objectives, and clarify the resources you’ll need. We work closely with your key stakeholders to understand your organization’s current state, define an achievable future state, and develop a MAP to advance your software security initiative. The plan covers three SSI execution capability groups:
Equip staff with knowledge and information to specify, create, and operate secure software. Three of the most common capabilities:
- Satellite ensures that a knowledgeable group of software security practitioners are adequately distributed across all your development teams.
- Competency Management provides all software stakeholders with sufficient skills to execute the evolving tasks associated with their role.
- Attack Intelligence brings relevant and timely information about attacker actions, security defects, and mitigation techniques into your firm and transforms it into actionable guidance.
Identify and characterize the organization’s software assets and define how and when to engage with each development and acquisition activity. Six of the most common process capabilities:
- Software Development Life Cycle (SDLC) Gates to ensure people and tools are including or applying the appropriate software security controls in each software project.
- Open Source Management assures that all open source software used in the firm’s portfolio is known, tracked, maintained, tested, and used in accordance with SSI policies and standards.
- Risk and Compliance enable subject matter experts to periodically determine the risk posture and compliance status of all software in the SSI’s purview.
- Policy and Standards assure appropriate roles maintain complete and current documentation on mandatory actions, events, and characteristics applicable to all the people, process, and technology in the SSI and its application portfolio.
- Metrics ensure all SSI processes are appropriately instrumented, that measurement data become valuable metrics, and metrics are distributed to everyone who requires them for decision-making.
- Vendor Management to prevent third-party acquired software unacceptably increasing the firm’s software security risk and ensure clear assignment of software security responsibility.
Utilize traditional software security activities to verify your software security program. Four of the most common verification techniques include:
- Penetration Testing finds exploitable defects through manual and automated white box and black box testing.
- Architecture and Design Review uncovers exploitable defects in software architecture through manual white box analysis.
- Secure Code Review identifies exploitable defects through manual code review and automated static analysis.
- Quality Assurance finds functional defects and exploitable defects through manual and automated testing.