Ounce Labs released a valuable resource for everybody involved in the Software Security business. "Software Security Assurance: A Framework for Software Vulnerability Management and Audit" is more than a framework, it’s a call to action driven by the need for better understanding of roles and responsibilities in software security assurance.
 

The paper starts by presenting the main components of software risk management processes which must address the issues and consequences of vulnerable software.

The core of the solution offered by OunceLabs  for managing software security assurance is based on 4 critical cyclic actions:

• Perform Risk Assessment : Determine the extent of vulnerabilities and their potential impact
• Provide Vulnerability Management and Remediation: Identify and fix the flaws
• Set Security Standards for Development and Deployment: Prevent the introduction of vulnerabilities
• Ensure Ongoing Assessment and Assurance: Provide monitoring and auditing

The Appendixes provide a consistent starting point for implementing the framework :

• Appendix A : Audit Program and Internal Control Questionnaire for Source Code Vulnerability Management
• Appendix B: Roles and Responsibilities for Software Security Assurance
• Appendix C: Control Objectives and Practices (related Control Frameworks, Requirements, Standards and Guidance : COSO, SOX, COBIT, ISO/IEC 17799 )
• Appendix D : Web Application Vulnerabilities : Top 10 Sources of Exposure to Locate and Remediate

I see this guide fitting very well in a general PDCA security management framework

Download (free registration required)  : Software Security Assurance: A Framework for Software Vulnerability Management and Audit

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!