BT

Applying Security by Design with the CMMI for Development

by Ben Linders on Nov 15, 2013 |

To enable development of secure products, processes covering the software development life cycle have to include security activities. “Security must be considered right from the beginning and the products have to be secure by design” said Winfried Russwurm from Siemens and Peter Panholzer from Limes Security. They facilitated a workshop at the SEPG Europe 2013 conference where they explored security activities and presented the Application Guide for Improving Processes for Secure Products.

Winfried and Peter asked the workshop attendants to come up with dedicated development activities that need to be done to enhance security and to create a more secure product. They categorized the ideas that the attendants brought up:

Organization:

  • Arrange for security experts
  • Increase security awareness and develop a security culture
  • Provide security training
  • Develop and deploy security policies

Requirements:

  • Identify hackers as stakeholders
  • Do a security risk analysis
  • Define security requirements, e.g. with security user stories and scenarios

Architecture

  • Focus on security risks in interface design
  • Architecture rules and guidelines for security
  • Identify and apply proven architectures for security

Implementation

  • Apply coding standards for secure software
  • Use tooling to check code on security

Testing

  • Plan and do security testing
  • Use tools to automate security testing

Full Life Cycle

  • Perform security reviews and verifications
  • Identify risk sources and categories to do a risk assessment
  • Apply lessons learned from other companies and communities
  • Establish social media policies for dealing with security issues

Earlier this year the CMMI Institute published the Application Guide for Improving Processes for Secure Products.  This application guide contains additional process areas about security aspects of engineering,  managing security in projects, and organizational security topics. The guide can be used with the Capability Maturity Model Integration for Development (CMMI-DEV) to improve processes so that organizations using them can provide security assurance for their customer.

The CMMI Institute together with the authors of the guide would like to hear from organizations that have used the guide, and they welcome any feedback.

Hello stranger!

You need to Register an InfoQ account or to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2013 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT