Domain 2: Secure Software Lifecycle Management

Risk Management Techniques and Concepts

Organizations have a few options when dealing with risk, including:

  • Mitigation: Take steps to reduce or eliminate the risk

  • Acceptance: Accept the potential risk and do nothing

  • Transference: Pass the risk on to an insurer, user, or other party

  • Avoidance: Stop performing the risky activity

Residual risk is the risk that is left over after risk mitigation actions have occurred that an organization must accept.

Technical risk is the risk posed by threats to software by attacks against it.

Business risk is the risk posed to the business by attacks against software and the resulting loss of functionality.

Integrated risk management (IRM) is a framework for policies, procedures, and technologies to manage various risks throughout the enterprise.

Risk appetite measures the amount of risk that an organization is willing to accept.

The probability of an attack measures how likely it is that an attacker will discover a vulnerability, develop an attack, and successfully exploit the vulnerability.

Impact measures the loss when an attacker exploits a vulnerability.

Compliance refers to an organization’s adherence to external regulations and laws. Conformance deals with adherence to internal requirements, such as organizational standards and policies.

A threat is anything that can cause harm to an organization and its assets.

A vulnerability’s exposure factor measures the magnitude of the impact of a vulnerability exploit.

A vulnerability is any feature of an asset that can be exploited by an attacker for a malicious purpose. Flaws and bugs may be vulnerabilities, but they may also not be exploitable.

Impact measures the loss when an attacker exploits a vulnerability.

A threat agent is anyone or anything who can make a threat materialize.

Controls are measures put in place to detect, prevent, or mitigate the risks posed by a threat.

Measuring Security

Annual Rate of Occurrence (ARO) estimates the number of times that a specific threat will materialize each year.

Single Loss Expectancy (SLE) estimates the loss caused by a threat and is calculated as the product of the asset value and the exposure factor.

Annual Loss Expectancy (ALE) estimates the loss caused by a threat across an entire year. It is calculated as the product of SLO and ARO.

Metrics for measuring security can include:

  • Defects per thousand lines of code (most widely used)

  • Number of repeated errors

  • Number of common errors

  • Percent of errors above a criticality level

  • Average time to remediate an issue

  • Complexity associated with errors

Bug bars define the criticality threshold above which defects in software must be fixed.

Development Methodologies

Waterfall is a predictive development methodology with a linear, sequential process through stages with no backtracking. In Waterfall, identifying issues early is critical, as it is difficult to fix problems after the fact.

Scrum is an Agile development method in which participants are classified as pigs or chickens and have defined roles in project development. Development is broken into sprints designed to implement specific features.

XP is a people-centric approach to development that iteratively storyboards and implements user requirements.

The Spiral model combines elements of Waterfall and prototyping models. It incorporates risk assessments at each of its phases, enabling a team to minimize sunk costs on a failed project.

Security Controls

The five types of security controls are:

  • Detective: Build a log of system or user actions that can be used to identify anomalies and potential threats.

  • Preventative: Actively or proactively work to block an attack

  • Deterrent: Attempt to dissuade an attacker from carrying out an attack.

  • Corrective: Help to recover back to normal operations after an attack.

  • Compensating: Provide an alternative to a security requirement when the recommended control cannot be implemented for some reason.

Security controls can be classified into three classes:

  • Administrative: Administrative controls are guidelines, policies, and procedures. For example, many companies have a security policy that details acceptable use of their systems.

  • Technical: Technical security controls use software to protect against threats. Access control lists (ACLs) are an example of a technical control.

  • Physical: Physical controls are designed to provide physical security. Photo IDs, motion detectors, and security cameras are examples of physical controls.

Configuration Management

Configuration management is composed of configuration control and verification control. Three main components of this are:

  • Change process management (change authorization, verification control, and release processing)

  • Baseline control (change accounting and library management)

  • Configuration verification (status accounting for compliance with specifications)

Revision control is related to version control and involves defining and labeling each release.

Configuration control manages the configuration of hardware, software, documentation, interfaces, and patching.

Version control involves managing the versions and changes to files and a codebase.

Baseline control is part of configuration management and includes change accounting and library management.

Lifecycle

End-of-life policies should include:

  • Credential Removal: Cancelling accounts, credentials, and permissions associated with the software

  • Configuration Removal: Updating firewall rules and other configuration settings designed to allow the software to operate

  • License Cancellation: Cancelling any license subscriptions that were needed to run the software

  • Archiving: Maintaining a copy of the software and associated documentation in case it is needed in the future or for regulatory compliance

Security champions are employees that act as a resource and help lead others in their security efforts.

The customer role is responsible for post-release maintenance of a system.

The supplier role is responsible for pre-release product configuration. Configuration managers ensure that the configuration plan is followed throughout the development process.

Some useful resources for software security information include:

  • National Institute of Standards and Technology (NIST): NIST publishes various standards, including Special Publications (SPs) and Federal Information Processing Standards (FIPS).

  • Software Assurance Forum for Excellence in Code (SAFECode): SAFECode offers a collaboration environment for organizations to discuss software security best practices.

  • Software Assurance Maturity Model (SAMM): SAMM is a framework developed by OWASP to improve the security of the software development process.

  • Building Security in Maturity Model (BSIMM): BSIMM quantifies the maturity and effectiveness of an organization’s application security (AppSec) program.

  • International Organization for Standardization (ISO): ISO publishes a variety of different standards, including some that address software security.

  • Payment Card Industry (PCI): PCI-DSS is a data security standard focused on protecting the sensitive data of payment card holders and preventing payment card fraud.

  • Open Web Application Security Project (OWASP): OWASP maintains several top ten vulnerability lists for various types of software and creates a range of security resources.

Last updated