Applying Security by Design with the CMMI for Development
To enable development of secure products, processes covering the software development life cycle have to include security activities. “Security must be considered right from the beginning and the products have to be secure by design” said Winfried Russwurm from Siemens and Peter Panholzer from Limes Security. They facilitated a workshop at the SEPG Europe 2013 conference where they explored security activities and presented the Application Guide for Improving Processes for Secure Products.
Winfried and Peter asked the workshop attendants to come up with dedicated development activities that need to be done to enhance security and to create a more secure product. They categorized the ideas that the attendants brought up:
- Arrange for security experts
- Increase security awareness and develop a security culture
- Provide security training
- Develop and deploy security policies
- Identify hackers as stakeholders
- Do a security risk analysis
- Define security requirements, e.g. with security user stories and scenarios
- Focus on security risks in interface design
- Architecture rules and guidelines for security
- Identify and apply proven architectures for security
- Apply coding standards for secure software
- Use tooling to check code on security
- Plan and do security testing
- Use tools to automate security testing
Full Life Cycle
- Perform security reviews and verifications
- Identify risk sources and categories to do a risk assessment
- Apply lessons learned from other companies and communities
- Establish social media policies for dealing with security issues
Earlier this year the CMMI Institute published the Application Guide for Improving Processes for Secure Products. This application guide contains additional process areas about security aspects of engineering, managing security in projects, and organizational security topics. The guide can be used with the Capability Maturity Model Integration for Development (CMMI-DEV) to improve processes so that organizations using them can provide security assurance for their customer.
The CMMI Institute together with the authors of the guide would like to hear from organizations that have used the guide, and they welcome any feedback.