+A: What's next for Application Managers (some additions and wording)

[sslHello]

Received by mail from Thomas:

• 'Manage the full Application Lifecycle' -> 'Manage the complete Application Lifecycle'
• 'Applications are some of the most complex systems' -> 'Applications are some of the most complex systems'
• Comment to an older version of 'We suggest establishing application owners and application managers for every application to provide' which had been alredy changed -> I hope you like the latest version of this paragraph.
• 'including receiving the protection requirements in regard to confidentiality, integrity and availability of all data assets.' -> 'including the protection requirements with regard to confidentiality, authenticity, integrity and availability of all data assets.'
• '... as OWASP Secure Software Contract Annex' -> add TSS-WEB (Checklist) https://tss-web.secodis.com/
• 'Define a security architecture, controls, and countermeasures according to the protection needs and the planned environmental security level' -> 'Define the security architecture, controls, and countermeasures appropriate to the protection needs and the assumed threat level'
• 'Get the application owner to assume remaining' -> 'Get the application owner to accept remaining'
• 'Each sprint, ensure security stories are created for functional requirements, and constraints added for non-functional requirements.' -> 'In each sprint, ensure security stories are created including constraints added for non-functional requirements.'
• 'Automate the secure setup of the application' -> 'Automate the secure deployment of the application'

Thank you for the comments.

[sslHello]

Have addressed most of the feedback, thanks! Remaining for discussion:

• 'Manage the full Application Lifecycle' -> 'Manage the complete Application Lifecycle'
• '... as OWASP Secure Software Contract Annex' -> add TSS-WEB (Checklist) https://tss-web.secodis.com/ (+ update the Note if we do)

[vanderaj]

We use the term "Secure Software Development Lifecycle" or "Secure Development Lifecycle" which is a common term at many places, including Microsoft. Should we adopt that term, as it seems to gathering pace?

At this point in time, I'm not in favor of putting in TSS-Web. Thoughts?

[Neil-Smithline]

Andrew - "Secure Software Development Lifecycle" is not the same as "full application lifecycle". The former refers to something done largely by devs, while the latter refers to a much larger process that includes operations and eventual end-of-life of the application. Are you thinking something different? We do mention "secure development lifecycle" on +D.

[Neil-Smithline]

I too vote no on TSS-Web. I'm unfamiliar with the standard (and have no time to look at it before we release). Also, we've been very careful putting references to company in the standard and I don't know this company well enough to feel comfortable using them. Oh - and I should also mention I managed to get this when poking around their site:

This server could not prove that it is secodis.com; its security certificate expired 135 days ago. At least for me, that's the kiss of death.

[Neil-Smithline]

@vanderaj - I think that if you are comfortable with not using SDLC here, we can close this issue.

[infosecdad]

SAMM is going to "Software Assurance Lifecycle" to represent the full lifecycle, not just the "development" lifecycle.