removed emoji from filenames, Obsidian changed all relevant links
This commit is contained in:
parent
d316285a74
commit
68f1c38681
638 changed files with 710 additions and 3176 deletions
|
|
@ -1,52 +0,0 @@
|
|||
February 2, 2022
|
||||
|
||||
Relevant ISO 27001 clauses/controls:
|
||||
- [ISO 27001 A.14.2 Security in development and support processes](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A.14.2%20Security%20in%20development%20and%20support%20processes.md)
|
||||
|
||||
R.vanderveer@sig.eu
|
||||
@robvanderveer
|
||||
www.sig.eu/security
|
||||
Contributor to ISO standards
|
||||
|
||||
Maturity
|
||||
* Level 2 = Testing
|
||||
* late in the process, rework creates stress, separate from the primary development process allows it to be postponed
|
||||
* Level 3 = Treat Modelling
|
||||
* Hygiene Approach = List of Do’s and Don’ts - requirements , guidelines, training
|
||||
* Level 4 = Scanning tools (code scanning, dependencies)
|
||||
* Level 5 =
|
||||
* Tool integration and dashboard, expert tool config, expert code/design/privacy review, organization guidance, team coaching, culture change
|
||||
|
||||
OWASP SAMM is a good process framework. Also has self assessment tools to establish base level.
|
||||
owaspsamm.org
|
||||
owaspsamm.org/guidance/agile
|
||||
Recommended: OWASP ASVS and MASVS
|
||||
OWASP security wayfinder
|
||||
|
||||
OpenCRE.org provides an interactive content linking platform for uniting security standards!
|
||||
|
||||
|
||||
Key building blocks of successful secure software development:
|
||||
- Everybody should own the problem (product owners, management, teams)
|
||||
- Collaboration between security experts and developer
|
||||
- Tailored training, based on principles
|
||||
- Provide standard software bv uil ding blocks and frameworks
|
||||
- [Threat modeling](Security%20Threat%20Modeling.md) and situational Testing against these threats
|
||||
- Automated testing
|
||||
- Manual verification against checklists
|
||||
- Privacy and Maintainability
|
||||
- Integrate (single glass pane of findings)
|
||||
- Cross-team knowledge exchange (Security Guild)
|
||||
- Legacy code – Basically all the code that was driven when you had a lower security maturity level.
|
||||
|
||||
# Changing responsibilities in Software Development
|
||||
Martin Knobloch
|
||||
@knoblochmartin
|
||||
Martinknobloch@owasp.org
|
||||
|
||||
Everything you can put in a repository can be considered source code.
|
||||
|
||||
From cascaded development to extreme programming meant moving away from a linear process to a chaotic process
|
||||
|
||||
Security is everybody’s responsibility. Shared responsibility means having a common/shared view (unified dashboard) on vulnerabilities.
|
||||
Monitor for trends, and correlations between business events (process and tools changes, new functionality, etc.) and changes in the security posture
|
||||
Loading…
Add table
Add a link
Reference in a new issue