Beruflich Dokumente
Kultur Dokumente
Version: 1.00
Contributors:
Organization:
Project:
Interview Date:
Interviewer:
Person Interviewed:
Governance
Level Strategy & Metrics
SM1 Is there a software security assurance program already in place?
Assertion:
Assertion:
Assertion:
SM1 Is most of your development staff aware of future plans for the assurance program?
Assertion:
Assertion:
Assertion:
SM1 Do most of the business stakeholders understand your organization’s risk profile?
Assertion:
Assertion:
Assertion:
Assertion:
SM2 Are risk ratings used to tailor the required assurance activities?
Assertion:
SM2 Does most of the organization know about what’s required based on risk ratings?
Assertion:
SM3 Does your organization regularly compare your security spending with other organizations?
Assertion:
Assertion:
Assertion:
PC2 Does the organization utilize a set of policies and standards to control software development?
Assertion:
Assertion:
Assertion:
Assertion:
Assertion:
Assertion:
PC2 Are project teams able to request an audit for compliance with policies and standards?
Assertion:
Assertion:
Assertion:
Assertion:
Assertion:
PC3 Are projects periodically audited to ensure a baseline of compliance with policies and standards?
Assertion:
Assertion:
Assertion:
PC3 Does the organization systematically use audits to collect and control compliance evidence?
Assertion:
Assertion:
Assertion:
EG1 Does each project team have access to secure development best practices and guidance?
Assertion:
Assertion:
Assertion:
EG2 Are most roles in the development process given role-specific training and guidance?
Assertion:
Assertion:
Assertion:
Assertion:
Assertion:
EG2 Are most stakeholders able to pull in security coaches for use on projects?
Assertion:
Assertion:
Assertion:
EG3 Is security-related guidance centrally controlled and consistently distributed throughout the organizatio
Assertion:
Assertion:
Assertion:
Assertion:
EG3 Are most people tested to ensure a baseline skillset for secure development practices?
Assertion:
Assertion:
Assertion:
Assertion:
Construction
Level Threat Assessment
TA1 Do most projects in your organization consider and document likely threats?
Assertion:
Assertion:
Assertion:
Assertion:
TA1 Does your organization understand and document the types of attackers it faces?
Assertion:
Assertion:
Assertion:
TA2 Do project teams regularly analyze functional requirements for likely abuses?
Assertion:
Assertion:
TA2 Do project teams use a method of rating threats for relative comparison?
Assertion:
Assertion:
TA3 Are all protection mechanisms and controls captured and mapped back to threats?
Assertion:
Assertion:
Assertion:
Assertion:
SR1 Do project teams pull requirements from best practices and compliance guidance?
Assertion:
Assertion:
Assertion:
SR2 Are most stakeholders reviewing access control matrices for relevant projects?
Assertion:
Assertion:
Assertion:
Assertion:
Assertion:
SR2 Are project teams specifying requirements based on feedback from other security activities?
Assertion:
SR3 Are most stakeholders reviewing vendor agreements for security requirements?
Assertion:
SR3 Are the security requirements specified by project teams being audited?
Assertion:
Assertion:
Assertion:
Assertion:
SA1 Are most project teams aware of secure design principles and applying them?
Assertion:
Assertion:
SA2 Do you advertise shared security services with guidance for project teams?
Assertion:
Assertion:
Assertion:
Assertion:
Assertion:
SA2 Are project teams provided with prescriptive design patterns based on their application architecture?
Assertion:
Assertion:
Assertion:
SA3 Are project teams building software from centrally controlled platforms and frameworks?
Assertion:
Assertion:
SA3 Are project teams being audited for usage of secure architecture components?
Assertion:
Assertion:
Verification
Level Design Review
DR1 Do project teams document the attack perimeter of software designs?
Assertion:
Assertion:
Assertion:
Assertion:
Assertion:
Assertion:
DR1 Do project teams check software designs against known security risks?
Assertion:
Assertion:
Assertion:
Assertion:
DR2 Do most project teams specifically analyze design elements for security mechanisms?
Assertion:
Assertion:
Assertion:
DR2 Are most project stakeholders aware of how to obtain a formal design review?
Assertion:
Assertion:
Assertion:
DR3 Does the design review process incorporate detailed data-level analysis?
Assertion:
Assertion:
Assertion:
DR3 Does routine project audit require a baseline for design review results?
Assertion:
Assertion:
Assertion:
Assertion:
CR1 Are project teams generally performing review of selected high-risk code?
Assertion:
Assertion:
Assertion:
CR2 Can most project teams access automated code analysis tools to find security problems?
Assertion:
Assertion:
CR2 Do most stakeholders consistently require and review results from code reviews?
Assertion:
Assertion:
CR3 Do project teams utilize automation to check code against application-specific coding standards?
Assertion:
CR3 Does routine project audit require a baseline for code review results prior to release?
Assertion:
Assertion:
ST1 Are most stakeholders aware of the security test status prior to release?
Assertion:
Assertion:
Assertion:
ST3 Are security test cases comprehensively generated for application-specific logic?
Assertion:
ST3 Do routine project audits demand minimum standard results from security testing?
Assertion:
Assertion:
Deployment
Level Vulnerability Management
VM1 Do most projects have a point of contact for security issues?
Assertion:
Assertion:
VM1 Are most project teams aware of their security point(s) of contact and response team(s)?
Assertion:
VM2 Does the organization utilize a consistent process for incident reporting and handling?
Assertion:
Assertion:
Assertion:
Assertion:
Assertion:
Assertion:
Assertion:
Assertion:
VM2 Are most project stakeholders aware of relevant security disclosures related to their software projects?
Assertion:
VM3 Are most incidents inspected for root causes to generate further recommendations?
Assertion:
Assertion:
Assertion:
Assertion:
VM3 Do most projects consistently collect and report data and metrics related to incidents?
Assertion:
Assertion:
Assertion:
EH1 Do most projects check for security updates to third-party software components?
Assertion:
Assertion:
EH2 Is a consistent process used to apply upgrades and patches to critical dependencies?
Assertion:
Assertion:
Assertion:
EH2 Do most project leverage automation to check application and environment health?
Assertion:
Assertion:
Assertion:
Assertion:
Assertion:
EH3 Are stakeholders aware of options for additional tools to protect software while running in operations?
Assertion:
Assertion:
EH3 Does routine audit check most projects for baseline environment health?
Assertion:
Assertion:
Assertion:
Assertion:
OE1 Are security-related alerts and error conditions documented for most projects?
Assertion:
Assertion:
Assertion:
Assertion:
OE2 Are most project utilizing a change management process that’s well understood?
Assertion:
Assertion:
Assertion:
Assertion:
Assertion:
OE2 Do project teams deliver an operational security guide with each product release?
Assertion:
Assertion:
Assertion:
Assertion:
Assertion:
OE3 Are most projects being audited to check each release for appropriate operational security information?
Assertion:
Assertion:
OE3 Is code signing routinely performed on software components using a consistent process?
Assertion:
Assertion:
Assertion:
Assertion:
SAMM Assessment Interview: <Project Name Here> For <Interview Date
Instructions
ndividual based on the questions below organized according to SAMM Business Functions and Security Practices.
or "No" next to each question or assertion based on the individual's response.
ditional information such as how and why in the "Interview Notes" column.
ark "Yes" on a question, each assertion below that question must also be satisfied.
rview is complete, go to the "Scorecard" sheet and follow instructions.
Governance
Strategy & Metrics
there a software security assurance program already in place?
Assurance program is documented and accessible to staff.
Assurance program has been used in recent development efforts.
Staff receives training against assurance program and responsibilities.
most of your development staff aware of future plans for the assurance program?
Assurance program goals are documented and accessible to staff.
Assurance program goals have been presented to staff.
A plan has been put in place to reach those goals in a specific period of time.
oes most of the organization know about what’s required based on risk ratings?
Staff receives training according to documented assurance program and risk classifications.
oes your organization regularly compare your security spending with other organizations?
Statistics regarding similar organization's security spending is collected regularly.
Compare potential cost savings by purchasing products or switching vendors for security tools.
Security cost-comparison exercises are conducted at least annually.
oes the organization utilize a set of policies and standards to control software development?
A set of security policies has been created based on compliance drivers.
Optional or recommended compliance items have been added to security policies.
Requirements based on known business drivers for security have been added to security policies.
Common or similar policies have been grouped, generalized, and rewritten to satisfy compliance and security requirements
Security policies do not include requirements that are too costly or difficult for project teams to comply.
Awareness programs have been created to advertise and spread awareness of security policies.
re project teams able to request an audit for compliance with policies and standards?
A process has been created for project teams to request an audit against security policies and compliance requirements.
Internal audits are prioritized based on business risk indicators.
Each project undergoes an audit at least biannually.
Awareness programs have been created to advertise and spread awareness of the organization's audit process.
Audit results are reviewed by project stakeholders including per requirement pass/fail status, impact, and remediation.
re projects periodically audited to ensure a baseline of compliance with policies and standards?
Compliance and security gates are established throughout the development process.
An exception approval process has been created for legacy or other specialized projects.
Automated tools (code review, penetration testing, etc) are used to assist in identifying non-compliance prior to the audit pr
oes the organization systematically use audits to collect and control compliance evidence?
An automated system is used to capture, organize, and display audit data and documentation.
Access to audit data is controlled based on a need to know
Instructions and procedures for accessing audit data are published and advertised to project groups.
oes each project team have access to secure development best practices and guidance?
Resources regarding secure development practices have been assembled and made available to developers.
Management informs development groups that they are expected to utilize secure development resources.
A checklist based on the secure development resources has been created to ensure guidelines are met during developme
re most roles in the development process given role-specific training and guidance?
Role specific
Managers andapplication security
requirements training
specifiers is given
receive to developers,
training in securityarchitects, QA, planning,
requirements etc. vulnerability and incident manag
threat modeling, and misuse/abuse case design.
Testers and auditors receive training in code review, architecture and design analysis, runtime analysis, and effective secu
planning.
Developer training includes security design patterns, tool-specific training, threat modeling and software assessment techn
Role specific training is provided at least annually as well as on demand based on need.
security-related guidance centrally controlled and consistently distributed throughout the organization?
A centralized repository has been created to organize secure development information, resources, and processes.
An approval board and change control management process is in place to control modification of information in this reposi
A method for collaboration and communication of secure development topics has been provided.
Content is searchable based on common factors like platform, language, library, life-cycle stage, etc.
re most people tested to ensure a baseline skillset for secure development practices?
Exams are used to verify retention of security knowledge in a per training module or per role context.
Exams are given to staff at least biannually.
Staff are organized or ranked based on exam scores.
Some security activities or gates require staff of a certain rank to sign off before the item is marked as complete.
Construction
Threat Assessment
o most projects in your organization consider and document likely threats?
Likely worst-case scenarios are documented for each project based on its business risk profile.
Attack trees or a threat model is created for each project tracing the preconditions necessary for a worst-case scenario to b
Attack trees or threat models are expanded to include potential security failures in current and historical functional requirem
When new features are added to a project, attack trees or threat models are updated.
oes your organization understand and document the types of attackers it faces?
Potential external threat agents and their motivations are documented for each project.
Potential internal threat agents, their associated roles, and damage potential are documented for each project or architectu
A common set of threat agents, motivations, and other information is collected at the organization level and re-used within
Security Requirements
o most project teams specify some security requirements during development?
Security requirements are derived from functional requirements and customer/organization concerns.
A security auditor leads specification of security requirements within each project.
Security requirements are specific, measurable, and reasonable.
Security requirements are documented for each project.
o project teams pull requirements from best practices and compliance guidance?
Industry best practices are used to derive additional security requirements.
Existing
Plans to code bases
refactor are analyzed
existing by a security
code to implement auditor
security for opportunities
requirements to add security
are prioritized requirements.
by project stakeholders including risk ma
senior developers, and architects.
Secure Architecture
re project teams provided with a list of recommended third-party components?
A weighted
The librarieslist
areofinformally
commonlyevaluated
used third-party libraries
for security basedandoncode
pastisincidents,
collectedresponses
and documented across
to identified the organization.
issues, complexity, and
appropriateness to the organization. Risk associated with these components are documented.
A list of approved third-party libraries for use within development projects is published.
re most project teams aware of secure design principles and applying them?
A list of secure design principles (such as defense in depth) have been collected and documented.
These principles are used as a checklist during the design phase of each project.
A list of reusable resources is collected and categorized based on the security mechanisms they fulfill (LDAP server, singl
o you advertise shared
server, etc.).security services with guidance for project teams?
re project teams provided with prescriptive design patterns based on their application architecture?
Each
A project
set of designis categorized based on architecture
patterns is documented (client-server,
for each architecture web application,
(Risk-based thick client,
authentication etc.).
system, single sign-on, centralized
etc.).
Architects, senior developers, or other project stakeholders identify applicable and appropriate patterns for each project du
design phase.
Verification
Design Review
o project teams document the attack perimeter of software designs?
project group
Each component in creates a simplified
the diagram one-page
is analyzed architecture
in terms diagram
of accessibility representing
of the high-level
interface from modules.
authorized users, anonymous us
operators, application-specific roles, etc.
Interfaces and components with similar accessibility profiles are grouped and documented as the software attack surface.
One-page architecture diagram is annotated with security-related functionality.
Grouped interface designs are evaluated to determine whether security-related functionality is applied consistently.
Architecture diagrams and attack surface analysis is updated when an application's design is altered.
Code Review
o most project teams have review checklists based on common problems?
The organization has derived a light-weight code review checklist based on previously identified security requirements.
Developers receive training regarding their role and the goals of the checklist.
an most project
The teams access
organization automated
has code source,
reviewed open analysiscommercial,
tools to find security
and problems?
other solution for performing automated code reviews and s
solution that will best fit the organization.
Automated code analysis has been integrated within the development process (at code check-in for example).
o most stakeholders consistently require and review results from code reviews?
Project stakeholders review and accept any risks that they choose not to address.
Project stakeholders have created a plan for addressing findings in legacy code.
Security Testing
re projects specifying some security tests based on requirements?
The organization has documented general test cases based on security requirements and common vulnerabilities.
Each project has documented test cases for security requirements specific to that project.
Staff ensures test cases are applicable, feasible, and can be executed by relevant development, security, and quality assu
o routine project
Eachaudits
projectdemand
containsminimum standard
a checkpoint results fromprocess
in the development securitythat
testing?
requires a specific level of security testing results to b
before
The release. has established an exception process for handling security testing results in legacy projects, which requir
organization
level of assurance to be met within a specific time period
Deployment
Vulnerability Management
o most projects have a point of contact for security issues?
Each project or development group has assigned a security-savvy developer to be the point of contact for security issues.
The organization maintains a centralized list of applications, projects, and points of contact regarding security issues.
re most project teams aware of their security point(s) of contact and response team(s)?
The security response team meets with project groups at least annually to brief individuals on the incident response proces
oes the organization utilize a consistent process for incident reporting and handling?
The
The organization has aprocess
incident response documented process
includes itemsfor incident
such handling
as triage and reporting,
to prevent additionalincluding
damage,team members'
change roles and
management andrespo
patc
The incident response team receives training at least annually.
application, managing project personnel and others involved in the incident, forensic evidence collection and preservation,
communication about the incident to stakeholders, well-defined reporting to stakeholders and/or communications trees, etc
The organization has adopted and documented a security issue disclosure process.
The organization has adopted and documented a patch release process.
The organization has adopted and documented a process for collaborating with individuals exercising responsible disclosu
The organization advertises
has adopteda process for handling
and documented issues disclosed
a practice responsibly
for disclosing incidentsbytothird-parties.
the public (if necessary and in complia
state and federal laws).
re most project stakeholders aware of relevant security disclosures related to their software projects?
A formal, documented process has been established for tracking, handling, and communicating incidents internally.
Environment Hardening
o the majority of projects document some requirements for the operational environment?
The organization documents and maintains a set of baseline operating platforms.
project teams expand on existing, approved baseline operating platforms to meet project requirements.
Project teams document assumptions made about operating environments during development.
Organization and project operating platforms are reviewed at least every six months.
o most project
Theleverage automation
organization to check
has reviewed openapplication and environment
source, commercial, and otherhealth?
solution for performing automated monitoring and patc
management
Automated and has selected
monitoring and patcha management
solution that will best
tools and fit processes
the organization.
has been integrated within the organization's operation
environments.
Project teams and
The automated the operations
monitoring team
and patch document and
management implement
tools generateapplication-level heath checks.
alerts and a documented process for handling and resp
these alerts
Project teamshas been
and the established.
operations team reviews configuration changes and alerts at least quarterly in order to improve curr
processes.
re stakeholders aware of options for additional tools to protect software while running in operations?
The security team or operations team reviews optional tools for protecting software with project stakeholders.
Appropriate solutions such as a WAF, IPS, HIDS, etc. are adopted for each project's operational environment.
oes routine audit check most projects for baseline environment health?
Project-level audits include analysis and testing of the operational environment in which the software resides.
Audits include verification of compliance with the organization's patch management process.
Operational
The environment
organization audits occur
has established at least every
an exception six months.
process for legacy operational environments, which requires a certain level
assurance to be met within a specific time period.
Operational Enablement
o you deliverProject
security notes with the majority of software releases?
teams document security-relevant configuration and operations information and provide documentation to users an
operators.
Project teams document a list of security features built into the software, options for configuration, security impacts, and in
secure default.
Project stakeholders review security documentation prior to release.
Project teams update security documentation at least every six months.
o project teams deliver an operational security guide with each product release?
Project teams develop an operational security guide starting with information documented about security-related alerts and
all security
Guides include items such information needed configuration
as: security-related by users and options,
operators.
event handling procedures, installation and upgrade g
operational environment specifications, security-related assumptions about the deployment environment, etc.
Project teams work with project stakeholders to determine an appropriate level of detail for the operational security guide.
Project teams update the operational security guide with each release.