Security for Modern Engineering Information Security & Risk Management
Download 132.18 Kb.
|
- Navigate this page:
- 5.1Knowledge management
- 5.1.1CALM board
- 5.1.2Technical Control Procedures
- 5.1.2.1TCP maintenance
- 5.1.3Guidance factory
5Our approachOur approach to the challenges is itself an agile one in which we are evolving the solution through incremental feedback and updates. We are on this journey to evolve and to enhance how we integrate security with modern engineering and how we enable our engineering teams to succeed. The following are the four core tenets around which we are building our solution:  Figure Four core Tenets 5.1Knowledge managementHaving a sound knowledge management process is one of the key aspects of any effective security solution. Underneath any SDL process are the requirements, which we call Technical Control Procedures (TCPs). Defining clear technical requirements for engineering teams is the foundation of an SDL program, and over the years our Control Assessment Library and Methodology (CALM) board has continuously refined our requirements. 5.1.1CALM boardA successful knowledge management solution ensures that there is a governance process to constantly refine and refresh the requirement set. We do this by keeping our TCPs up-to-date through our CALM board. Subject matter experts (SMEs) from across the security teams sit on this board. The CALM board meets monthly and makes updates to specific TCPs so that engineers have the most up-to-date controls. They continuously evolve the library, and they make sure controls are relevant with the changing security landscape. 5.1.2Technical Control ProceduresTCPs are the actionable security controls that engineering teams must implement during the development of applications. TCPs are the minimum bar for security standards that all LOB applications must meet. TCPs are technical or process-oriented and are defined to be agnostic of technology. The following are a few examples of areas these requirements cover: Figure Areas of Coverage for TCPs TCPs are built around positive instead of negative attributes and are focused towards engineering teams. We identify what the known positive controls are that a system should implement to be secure. In our taxonomy of a TCP, we define (among other attributes): 
The following are few example categories from the TCP library and their underlying procedures: 
Table TCP Categories TCPs are the backbone of everything we drive with the engineering teams. The following are areas of the SDL to which TCPs are integral:
TCPs are the avenue by which we deliver core guidance to our engineers about how controls must be implemented and about their applicability. TCPs are the super set of security controls, and we hold our engineering teams accountable to them through the SDL process.
When an application is selected for a security assessment, all the applicable TCPs based on the context of the application are tested and verified for correct implementation. Any identified failures result in risk findings for the engineering teams to fix.
Security tools evaluations are fundamentally focused around which TCPs the tools will help automate (either for detection, correction, or both). This mapping to TCPs not only allows us to optimize our manual process, but also helps reveal where we have adequate tool coverage.
TCPs must be aligned to the company’s standards and security policy. This provides the rationale behind “Why.” Alignment helps business and risk stakeholders determine the risk in omitting the implementation of TCPs. The alignment function’s biggest payoff is simplifying the engineering team’s interaction with standards. For example, multiple standards may have a requirement for encryption, and the TCPs allow us to combine each of those requirements into a single actionable control for the engineering team. 
Figure Alignment to company policy 5.1.2.1TCP maintenanceAs described earlier, TCPs are maintained by our CALM board and are authored in a technology agnostic fashion. We review our full set at least quarterly – and also the methodology by which the assessment occurs – and if we have carefully defined them, there should be few changes. For example, TCPs that define requirements for input validation should rarely change. However, when it comes to implementation details that are technology-specific, such as implementing security controls in Azure, we update the implementation guidance that supports the given TCP more often. Because this implementation guidance can change more often, we needed to find a method to address areas in which engineers have frequent questions. The need is also amplified by the fact that development platforms such as .NET and Azure are updating more frequently. To keep up with such a pace, we are experimenting with the concept of a “guidance factory.” 5.1.3Guidance factoryTo keep pace with modern engineering, the old form of "guidance documents" just aren't as efficient. We don't have the luxury to spend several months (or even weeks) to publish an essay about "Writing secure code for [fill in your platform here]." TCPs are the next step and provide an excellent minimum bar, but sometimes, engineers need bite-sized snacks of guidance. We created a guidance factory where we could take requests on demand and turn them around into bite-sized chunks in a timely fashion. We started piloting a guidance factory approach in 2015. In this pilot, an analyst posts quick guidance in response to questions from the engineering team to a SharePoint site. We leveraged that site as a key input to our TCP maintenance process and continue to evolve them over time. With this agile approach, engineers receive up-to-date guidance that delves deeper than our currently published TCPs in a timely fashion, and in the long term we leverage the guidance produced into the TCPs. Directory: download download -> Performance Tuning Guidelines for Windows Server 2008 May 20, 2009 Abstract download -> Northern England’s set-jetting locations download -> Bbc archives: Beyond the programme download download -> Occupational health and safety download -> Dynatest 3031 lwd light Weight Deflectometer download -> Forth coming competitive exams download -> English Olympiad Tasks: 10 th form Аудіювання, 10 клас. Текст download -> Brush High School Morning Announcements Friday, September 05, 2014 all school download -> Year 9 The Arts — Music download -> Years 7 and 8 standard elaborations — Australian Curriculum: Music draft Download 132.18 Kb. Share with your friends:
|