A Security Practices Evaluation Framework

Improve Development Process

Incorporate ``lessons learned’’ from security vulnerabilities and their resolutions into the project’s software development process.

Description

Experience with identifying and resolving vulnerabilities, and testing their fixes, can be fed back into the development process to avoid similar issues in the future. Incorporate ``lessons learned’’ from security vulnerabilities and their resolutions into the project’s software development process.

Practice Implementation Questions

  1. Does the project have a documented standard for its development process?
  2. When vulnerabilities occur, is considering changes to the development process part of the vulnerability resolution?
  3. Are guidelines for implementing the other SPEF practices part of the documented development process?
  4. Is the process reviewed for opportunities to automate or streamline tasks?
  5. Is the documented development process enforced?

Keywords

architecture analysis, code review, design review, development phase,gate, root cause analysis, software development lifecycle, software process

BSIMM CP 3.3 Drive feedback from SSDL data back to policy.