process Steve's feedback

[DinisCruz]

(from Microsoft SDLC )

Requirements & Analysis

• The driving force here is market/business goals
• CTO/CISO should be monitoring this phase. Early insights into what direction the business is moving can help to mitigate potential security implications of new products and features.
• Start reviewing resources needed for creating the AppSec team

  High Level design

• AppSec team lead responsible for identifying Static analysis and other tools appropriate for the environment.
• Champion that Tools should be incorporated into the build environment
  • run as part of the build process
  • output goes to DB (later used to feed dashboards)
  • output should be filtered so previously found issues are not duplicated
  • tag should be added to identify when issue first found (can be used in dashboard for days to resolve)
  • Dashboard requirements initial planning
  • Security issues tracking system initial requirements defined
  • Issue tracking system identified (JIRA) and requirements defined
  • Issues/bugs found by static tools should auto generate tickets (filtering to prevent duplictes)
  • Issues/bug should feed to dashboard

CTO/CISO to identify skills for AppSec team (may change in next phase)

• Identify team lead
• Team lead main job is to:
• Evangelize AppSec to the PM/DEV/Test Team
• Identify Security Champs
• Assign tasks to Security Champs such as reviewing issues found, initiating threat modeling, which may be updating existing threat models or creating new
• Team lead works with Security champs, sets up weekly/bi-weekly meetings. Summarize finding and report to LT (leadership team) I am going to suggest an outline using the first on the left graph. There are many other processes which might be better suited to your approach, but it is a place to start.

  Detailed Design

(to do)

Construction & Assembly

(to do)

Independent Verification

(to do)

Release & Maintenance

(to do)

Some general comments: (no particular order)

• Title may need some work, needs to have a bit more “eye Candy”
• AppSec road map using JIRA
• No mention of mobile (un-necessary access to mobile features, (GPS, contacts, camera, etc) or IoT security (transport security, tampering, etc) issues.
• There is little reference to privacy/data protection which has a significant security component (encrypting data, access controls, etc.

[Ambg05]

Suggested changes to High Level design (changes highlighted in Bold):

AppSec team lead is responsible for identifying Static analysis and other tools appropriate for the environment. • Champion that Tools should be incorporated into the build environment o Run as part of the build process o Output goes to DB (later used to feed dashboards) o Output should be filtered so previously found issues are not duplicated o Tag should be added to identify when issue first found (can be used in dashboard for days to resolve)

Issue tracking system identified (JIRA) and requirements defined • Issues/bugs found by static tools should auto generate tickets (filtering to prevent duplicates) • Issues/bug should feed to dashboard

Some general comments: (no particular order) • No mention of mobile (un-necessary access to mobile features, (GPS, contacts, camera, etc) or IoT security (transport security, tampering, etc.) issues.