cmmi institute and partner network...

© 2013 Clearmodel/CMMI Institute

Security Content and Considerations

in CMMI for Development and

CMMI for Services

CMMI Institute Public Webinar

December 11, 2013


Topics

Why security and CMMI?

Draft Security Management PA designed for CMMI-SVC

• Why is it needed

• What it is and how we developed and piloted the PA

Security by Design for CMMI-DEV

• Why is it needed

• What it is

• Benefits

How to identify security elements in SAS for appraisal

Next steps and more information


Putting All the Pieces Together


Security is Part of the Improvement Puzzle


ISO 20000 & CMMI Mapping

5

Implications

• The fit between

CMMI and ISO

20000 is good

• CMMI potentially

has more detail • What makes a

good service

management

system?

• Gap = Security


ITIL V3 & CMMI-SVC

6

Service

Strategy

Service

Transition

Continual Service

Improvement

CAM

STSM

SST

SSD

SD

IRP

SCON

CM

OPF

OPD WP

OT

WMC

RSKM

SAM

MA

PPQA

Security

CMMI & ITIL

• Good fit

• ITIL Provides

“how to” for IT

• CMMI

provides

Improvement

Path


Improving Service Management

7

CMMI ITIL

ISO 20000

Security


Why Should We Fill the Gap?

Completeness of Improvement Journey

• Organizations have business problems to solve that cross model

boundaries

• Framing these issues in a common language helps

Appraisal or Audit Need

• Organizations with multiple accreditations are faced with frequent

internal audit and appraisal issues

• One common framework cuts appraisal or audit costs & minimizes

disruption to busy front-line workers

Model Completeness

• Security issues are not “additional” to service delivery or development

• They are integral to it

8


ISO27001 – GP Relationships

9

CMMI

GP'sCover

2.1

2.2

2.3

2.4

2.5

2.6

2.7

2.8

2.9

2.10

3.1

3.2


ISO 27001 – Establishing ISMS

Clause 4.2.1 - Establish the Information Security

Management System

– Scope the security system

– Define an approach to identifying and evaluating security

threats

– Define how to deal with them

– Obtain management approval for the plans and

mechanisms defined

10


ISO 27001 – Put the ISMS in Place

Clause 4.2.2 - Implement and Operate the Information

Security Management System

– Instigate a plan to operate the security system

– Manage the level of threat.

Clause 4.2.3 - Monitor and Review the ISMS

– Use ISMS mechanisms to monitor threats

– Take action to address threats

Clause 4.2.4 - Maintain and Improve the ISMS

– Measuring and monitor the system

– Implement corrections or improvements

11


New PA – Basic Structure

Examination of ISO 27001 provided suggestion of initial

content

– Establish and Maintain a Security Management System

– Use the Agreed Security Management System to Provide

Required Security

Under these two strands, we can construct statements that

look and feel like practice statements

– Ideal for appraisal purposes

– Very valuable for improvement teams constructing an

improvement plan

– One language style, one plan, potentially multiple models engaged

12


Security Management (SM)

SG1 – Establish a Security Management System

– SP1.1 Establish Security Objectives

– SP1.2 Establish an Approach to Threat Assessment

– SP1.3 Identify Security Threats

– SP1.4 Evaluate and Prioritize Security Threats

– SP1.5 Establish a Security Management Plan

– SP1.6 Obtain Commitment to the Security Management Plan

SG2 – Provide Security

– SP2.1 Operate the Security Management System

– SP2.2 Monitor the Security Management System

http://cmmiinstitute.com/assets/Security-and-CMMI-SVC.pdf

13









Introduction to Security by Design with CMMI-DEV

• Formerly known as

+SECURE

• Developed by Siemens

• Reviewed by the CMMI

community

• Published by the CMMI

Institute in May 2013


Why we created Security by Design for CMMI-

DEV V1.3

• Security incidents in some well known companies and many small companies

• Increased attention for security

• Recognizing the need for designing-in security as part of the development

process

• Lack of appropriate process models

• Avoiding the multi-model syndrome: add on CMMI

• Helping the community to create better SW

• Having a “yard stick” for secure SW development processes available


Is it really an Issue?


Source: www.polizei-beratung.de

The attacker is always looking for the

weakest link


Only a fully integrated secure development

lifecycle ensures protection against attacks

Results

Insufficient security level

Security defects in features, that are not security-suspect

Firewalls

Cryptography

Authentication models

Example Activities

Security

Features

Singular, Ad-hoc

Activities

Huge defect correction efforts

Products are deployed even with severe security risks

Some security risks are unknown

Penetration testing in late development phases

Use of secure coding guidelines without reviews

“Design for

Security”

Plannable security efforts

Operational resiliency against attacks

Reduced security risks

Security is handled as another quality criteria

Fully integrated in the development process

Systematic engineering and management of development process

Security

Strategies


In four process areas, Requirements for

Organization and Processes are defined

Establish capabilities to develop secure products and react to product security incidents.

Organizational

Preparedness for

Secure Development

(OPS)

Security Management

in Projects (SMP)

Security

Requirements and

Technical Solution

(SRT)

Security Verification

and Validation (SVV)

Project activities to address security topics are identified, prepared, planned, and managed.

Evaluate and manage product security risks throughout the project.

Develop security requirements to meet the relevant stakeholders’ security needs.

Develop a secure architecture and design for the product according to security design principles.

Establish and maintain standards for secure product configuration.

Implement the secure product components and associated security support documentation.

Ensure that selected work products meet their specified security requirements.

Demonstrate that product or product components fulfill the security expectations when placed in its intended operational environment.

Process Area Intention & Purpose


Integrate Security into the Organization:

“Make it Stick”

Processes

Roles

Trainings

Resources

Guidelines

Lasting Security

Processes

• Known and

documented

knowledge of the

organization‘s way to

get things done

• If you want security to

be part of all your

projects, integrate it in

your processes!



“Make it Stick”

Roles

• Provide Responsibility

• Provide Authority

Processes

Roles

Trainings

Resources

Guidelines

Lasting Security



“Make it Stick”

Training

• Basic security training

for everybody / all roles

• Specialized training

where needed, e.g. for

• Project Manager

• (Lead) Architect

• (Lead) Developer

• Security Tester

Processes

Roles

Trainings

Resources

Guidelines

Lasting Security



“Make it Stick”

Resources

• How good is a role

when you don‘t have

time to live it?

• Appropriate tools, e.g.

for

• Secure Coding

• Security Testing

Processes

Roles

Trainings

Resources

Guidelines

Lasting Security



“Make it Stick”

Guidelines

• Provide technical

details and methods,

e.g. for

• Architecture

• Coding

• Hardening

• Make lessons learned

from previous projects

available for all

projects

Processes

Roles

Trainings

Resources

Guidelines

Lasting Security


Continuous Development of Secure Products

Requires Security Guidance AND Mature

Processes

Security practices rely on a functional development process to take effect

Secure

Product Security

by Design

CMMI

-DEV

ML3


Benefits of Using Secure Software

with Secure by Design for CMMI-DEV

• More robust and resilient software, less vulnerability

• Saving money and effort for late and expensive software updates and other

hardening “after the fact”

• Less reputation loss by fewer publications and alerts about security defects

• Less risk of lost, stolen data and manipulated data, and related monetary and

intellectual losses

• More confidence by your customers

• Organizes the developing of secure products by design--rather than some

features

• Fits perfectly with CMMI-DEV, no need to introduce a completely new model

• Written in a language understood by CMMI professionals

• Brings security know-how to the CMMI community--and process know-how to

the security community


How to identify an appraisal in SAS that includes

a security element: Organizational Unit Field


Model Scope Field

This text does publish to PARS and must be included

in the “Model Scope” field in SAS.


Appraisal Phases and Remarks Field


Additional ADS Information

This text does not publish to PARS, but it must be

included in the “Additional ADS Information” field in SAS.


Appraisal Plan – Model Scope


Appraisal Plan – Appraisal Outputs


Appraisal Plan – Identified Risks and

Mitigations


Summary

Security material is available for CMMI-SVC and CMMI-DEV

• Four PAs for security during development

• A single draft PA for service delivery and enterprise use,

aligned with ISO 27001

• Built by experienced CMMI, development, service, security,

improvement, and appraisal professionals

• In use and tested by multiple enterprises in both

implementation and appraisal

• While not “official” CMMI content, has been used in appraisal

and can be indicated in appraisal records

34


Questions?


How Can You Stay Informed?

Security by Design with CMMI for Development Version 1.3

http://cmmiinstitute.com/resource/security-by-design-with-cmmi-for-

development-version-1-3/

CMMI for Services and Security Whitepaper


CMMI for Services Book (with draft Security PA)

www.informit.com/store/product.aspx?isbn=0321711521

When in doubt, contact us at [email protected]

http://cmmiinstitute.com/resource/security-by-design-with-cmmi-for-development-version-1-3/



























http://www.informit.com/store/product.aspx?isbn=0321711521

mailto:[email protected]?subject=Security Webinar Follow up


Thank you for your attention!

Peter Panholzer, MSc

[email protected]

Limes Security

Softwarepark 26

4232 Hagenberg, Austria

Eileen Forrester

[email protected]

CMMI Institute 11 Stanwix Street, Suite 1150 Pittsburgh, PA 15222

[email protected]

mailto:[email protected]



cmmi institute and partner network...

Documents