Producing Secure Software With Software Security Enhanced Processes

On behalf of OWASP and as a PR for the organization I wrote an article for the April edition of in-secure magazine: Producing Secure Software With Software Security Enhanced Processes. Besides evaluating the pro and cons of different software security enhanced process models such as MS-SDL, OWASP-CLASP and Cigital-Security TouchPoints, I deal with the basic steps of the process that are 1) assessment of the software engineering and information security processes currently used by the organization, 2) implementation of the process models within the software security framework, 3) software security metrics and measurements. Regarding the assessment I deal with maturity levels and I published a maturity level curve that I took from the old CLAPS methodology as a reference (herein included). The maturity curve depicted in the article comes from old CLASP documentation that dates back to when CLASP was owned by Secure Software. The reason I put that figure in the article is to make the point that security activities can be effectively built into the SDLC if tied to reaching capability maturity levels. This is based upon my experience in rolling out software security framework for large financial organizations. The concept is very intuitive “per se”, some activities like metrics and measurements require higher maturity level then others. Others like training and awareness are pre-requisite to achieve maturity and allow the adoption of other activities such as secure code reviews for example. I had recently done an extensive work on mapping software security roadmap to the maturity levels assessed for the financial organization I currently work for. Such CMM takes into account SDLC methodologies, risk management processes as well as security tools and training and awareness levels across all departments within the organization. The maturity exercise helps in setting a roadmap to determine what can be achieved in the short term and in the long term and at which cost. A reader of my article, Dan Fiedler suggested to map CLASP, MS SDL and TP to the maturity curve. I think this can be very useful in terms of comparison of what maturity levels can be achieved using different models making some assumption to the adoption spread within the organization.