This web site provides a recipe-oriented outline of an Application Security program. There are several other established frameworks to consider, especially as you move beyond the low intensity level (see Right-Sizing). Once you have a baseline program in place you will want to review these other frameworks in addition to the set of ‘higher intensity’ activities suggested on the Right-Sizing page. Pointers to these other frameworks are provided on the Resources page.
BSIMM – Building Security In Maturity Model
BSIMM was developed by a consortium led by a team that is now part of Synopsys. BSIMM covers a broad range of security related topics. One notable aspect of the BSIMM material is that the report includes the results of a survey keyed from the model itself as presented in an appendix of the report. The model is organized with a top level of:
- Governance
- Intelligence
- SSDL Touchpoints
- Deployment
Each of these is then further decomposed until we have a list of specific line items presented in 3 “maturity level” groups. Some of these are quite concrete, such as: Use automated tools (under code review sub-category). Others are a bit more abstract, for example: Implement and track controls for compliance.
BSAFFS – BSA Framework for Secure Software
This is another consortium work-product. The top level organization is:
- Secure Development
- Secure Capabilities
- Secure Lifecycle
The material is then decomposed into Categories, Sub-Categories, and Diagnostic Statements. Each diagnostic statement is essentially a demand on the organization. Some of these are more of a standards/process nature. For example: Software uses robust integer operations for dynamic memory locations and array offsets. All well and good but sort of at a different level than Software development organizations document likely threats – which is essentially a demand to do threat modeling. Notably, each item is accompanied by a list of references back into BSIMM, Microsoft SDL, and NIST SSDF and quite a number of other sources.
NIST SSDF – Secure Software Development Framework
This of course is a work product of the US Government. That said the framework was subject to an external comment process. The high level decomposition is:
- Prepare the Organization
- Protect the Software
- Produce Well-Secured Software
- Respond to Vulnerabilities
Each of these then has a set of Practices with each Practice associated with one or more tasks with implementation examples. The material is notable for the heavy emphasis on securing the development environment (as witnessed by it being a top-level group). Like the BSAFFS and BSIM, the individual line items vary from fairly high level requirements to specific and actionable suggestions. Notably, links back to specific sections of other activities such as BSAFFS, BSIM, SDL, and many others are provided; that makes this a perfect place to start browsing the world of security development frameworks.
Microsoft SDL – Security Development Lifecycle
Microsoft was an early leader in the field of application security and continues to provide thought leadership and a variety of tools and technical material free of charge to the community. The presentation of the material is straight-forward and generally follows a narrative approach. The material is a bit more focused on the development-team activities than the other frameworks and it has a simpler structure – just a list of 12 practices.