When it comes to application security, Government agencies are under pressure to meet the law as implemented in regulations, which often includes the need for regular awareness and technical training, independent software assessments, and adoption of industry best practices for secure coding.
On the civilian side FISMA mandates following NIST requirements. The NIST CSRC has set out the requirements to meet under the FISMA project. Specific requirements are set out in NIST Special Publication 800-53. Control SA-8 states:
| SA-8 SECURITY ENGINEERING PRINCIPLES |
|---|
|
Control: The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. Supplemental Guidance: The application of security engineering principles is primarily targeted at new development information systems or systems undergoing major upgrades and is integrated into the system development life cycle. For legacy information systems, the organization applies security engineering principles to system upgrades and modifications to the extent feasible, given the current state of the hardware, software, and firmware within the system. Examples of security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring system developers and integrators are trained on how to develop secure software; (vi) tailoring security controls to meet organizational and operational needs; and (vii)reducing risk to acceptable levels, thus enabling informed risk management decisions. |
Computer Based-Training
To meet the management, developer, project leader, architect and QA training requirements, Security Innovation offers TeamProfessor, the industry’s largest computer-based training library. Popular courses include How to Conduct a Code Review, Creating Secure ASP.Net Applications, and Security Tools & Technologies. more
“In Practice” Secure Development Guidance
Once training is complete, developers need just in time guidance that can be customized for the agency’s practices and standards. TeamMentor is an industry-first Secure Development Knowledgebase that comprises dance that comprise more than 3,000 how-to’s, secure code snippets, attacks, and checklists - offering expert guidance as development and IT teams conduct specific security activities. more
Software & SDLC Assessments
To help you bring the appropriate security process and activities to your development practice, Security Innovation can identify problems in your software during any phase of the development lifecycle, or within the SDLC itself.