© 2013 Clearmodel/CMMI Institute
Security Content and Considerations
in CMMI for Development and
CMMI for Services
CMMI Institute Public Webinar
December 11, 2013
© 2013 Clearmodel/CMMI Institute
Topics
Why security and CMMI?
Draft Security Management PA designed for CMMI-SVC
• Why is it needed
• What it is and how we developed and piloted the PA
Security by Design for CMMI-DEV
• Why is it needed
• What it is
• Benefits
How to identify security elements in SAS for appraisal
Next steps and more information
© 2013 Clearmodel/CMMI Institute
Putting All the Pieces Together
© 2013 Clearmodel/CMMI Institute
Security is Part of the Improvement Puzzle
© 2013 Clearmodel/CMMI Institute
ISO 20000 & CMMI Mapping
5
Implications
• The fit between
CMMI and ISO
20000 is good
• CMMI potentially
has more detail • What makes a
good service
management
system?
• Gap = Security
© 2013 Clearmodel/CMMI Institute
ITIL V3 & CMMI-SVC
6
Service
Strategy
Service
Transition
Continual Service
Improvement
CAM
STSM
SST
SSD
SD
IRP
SCON
CM
OPF
OPD WP
OT
WMC
RSKM
SAM
MA
PPQA
Security
CMMI & ITIL
• Good fit
• ITIL Provides
“how to” for IT
• CMMI
provides
Improvement
Path
© 2013 Clearmodel/CMMI Institute
Improving Service Management
7
CMMI ITIL
ISO 20000
Security
© 2013 Clearmodel/CMMI Institute
Why Should We Fill the Gap?
Completeness of Improvement Journey
• Organizations have business problems to solve that cross model
boundaries
• Framing these issues in a common language helps
Appraisal or Audit Need
• Organizations with multiple accreditations are faced with frequent
internal audit and appraisal issues
• One common framework cuts appraisal or audit costs & minimizes
disruption to busy front-line workers
Model Completeness
• Security issues are not “additional” to service delivery or development
• They are integral to it
8
© 2013 Clearmodel/CMMI Institute
ISO27001 – GP Relationships
9
CMMI
GP'sCover
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
3.1
3.2
© 2013 Clearmodel/CMMI Institute
ISO 27001 – Establishing ISMS
Clause 4.2.1 - Establish the Information Security
Management System
– Scope the security system
– Define an approach to identifying and evaluating security
threats
– Define how to deal with them
– Obtain management approval for the plans and
mechanisms defined
10
© 2013 Clearmodel/CMMI Institute
ISO 27001 – Put the ISMS in Place
Clause 4.2.2 - Implement and Operate the Information
Security Management System
– Instigate a plan to operate the security system
– Manage the level of threat.
Clause 4.2.3 - Monitor and Review the ISMS
– Use ISMS mechanisms to monitor threats
– Take action to address threats
Clause 4.2.4 - Maintain and Improve the ISMS
– Measuring and monitor the system
– Implement corrections or improvements
11
© 2013 Clearmodel/CMMI Institute
New PA – Basic Structure
Examination of ISO 27001 provided suggestion of initial
content
– Establish and Maintain a Security Management System
– Use the Agreed Security Management System to Provide
Required Security
Under these two strands, we can construct statements that
look and feel like practice statements
– Ideal for appraisal purposes
– Very valuable for improvement teams constructing an
improvement plan
– One language style, one plan, potentially multiple models engaged
12
© 2013 Clearmodel/CMMI Institute
Security Management (SM)
SG1 – Establish a Security Management System
– SP1.1 Establish Security Objectives
– SP1.2 Establish an Approach to Threat Assessment
– SP1.3 Identify Security Threats
– SP1.4 Evaluate and Prioritize Security Threats
– SP1.5 Establish a Security Management Plan
– SP1.6 Obtain Commitment to the Security Management Plan
SG2 – Provide Security
– SP2.1 Operate the Security Management System
– SP2.2 Monitor the Security Management System
http://cmmiinstitute.com/assets/Security-and-CMMI-SVC.pdf
13
© 2013 Clearmodel/CMMI Institute
Introduction to Security by Design with CMMI-DEV
• Formerly known as
+SECURE
• Developed by Siemens
• Reviewed by the CMMI
community
• Published by the CMMI
Institute in May 2013
© 2013 Clearmodel/CMMI Institute
Why we created Security by Design for CMMI-
DEV V1.3
• Security incidents in some well known companies and many small companies
• Increased attention for security
• Recognizing the need for designing-in security as part of the development
process
• Lack of appropriate process models
• Avoiding the multi-model syndrome: add on CMMI
• Helping the community to create better SW
• Having a “yard stick” for secure SW development processes available
© 2013 Clearmodel/CMMI Institute
Is it really an Issue?
© 2013 Clearmodel/CMMI Institute
Source: www.polizei-beratung.de
The attacker is always looking for the
weakest link
© 2013 Clearmodel/CMMI Institute
Only a fully integrated secure development
lifecycle ensures protection against attacks
Results
Insufficient security level
Security defects in features, that are not security-suspect
Firewalls
Cryptography
Authentication models
Example Activities
Security
Features
Singular, Ad-hoc
Activities
Huge defect correction efforts
Products are deployed even with severe security risks
Some security risks are unknown
Penetration testing in late development phases
Use of secure coding guidelines without reviews
“Design for
Security”
Plannable security efforts
Operational resiliency against attacks
Reduced security risks
Security is handled as another quality criteria
Fully integrated in the development process
Systematic engineering and management of development process
Security
Strategies
© 2013 Clearmodel/CMMI Institute
In four process areas, Requirements for
Organization and Processes are defined
Establish capabilities to develop secure products and react to product security incidents.
Organizational
Preparedness for
Secure Development
(OPS)
Security Management
in Projects (SMP)
Security
Requirements and
Technical Solution
(SRT)
Security Verification
and Validation (SVV)
Project activities to address security topics are identified, prepared, planned, and managed.
Evaluate and manage product security risks throughout the project.
Develop security requirements to meet the relevant stakeholders’ security needs.
Develop a secure architecture and design for the product according to security design principles.
Establish and maintain standards for secure product configuration.
Implement the secure product components and associated security support documentation.
Ensure that selected work products meet their specified security requirements.
Demonstrate that product or product components fulfill the security expectations when placed in its intended operational environment.
Process Area Intention & Purpose
© 2013 Clearmodel/CMMI Institute
Integrate Security into the Organization:
“Make it Stick”
Processes
Roles
Trainings
Resources
Guidelines
Lasting Security
Processes
• Known and
documented
knowledge of the
organization‘s way to
get things done
• If you want security to
be part of all your
projects, integrate it in
your processes!
© 2013 Clearmodel/CMMI Institute
Integrate Security into the Organization:
“Make it Stick”
Roles
• Provide Responsibility
• Provide Authority
Processes
Roles
Trainings
Resources
Guidelines
Lasting Security
© 2013 Clearmodel/CMMI Institute
Integrate Security into the Organization:
“Make it Stick”
Training
• Basic security training
for everybody / all roles
• Specialized training
where needed, e.g. for
• Project Manager
• (Lead) Architect
• (Lead) Developer
• Security Tester
Processes
Roles
Trainings
Resources
Guidelines
Lasting Security
© 2013 Clearmodel/CMMI Institute
Integrate Security into the Organization:
“Make it Stick”
Resources
• How good is a role
when you don‘t have
time to live it?
• Appropriate tools, e.g.
for
• Secure Coding
• Security Testing
Processes
Roles
Trainings
Resources
Guidelines
Lasting Security
© 2013 Clearmodel/CMMI Institute
Integrate Security into the Organization:
“Make it Stick”
Guidelines
• Provide technical
details and methods,
e.g. for
• Architecture
• Coding
• Hardening
• Make lessons learned
from previous projects
available for all
projects
Processes
Roles
Trainings
Resources
Guidelines
Lasting Security
© 2013 Clearmodel/CMMI Institute
Continuous Development of Secure Products
Requires Security Guidance AND Mature
Processes
Security practices rely on a functional development process to take effect
Secure
Product Security
by Design
CMMI
-DEV
ML3
© 2013 Clearmodel/CMMI Institute
Benefits of Using Secure Software
with Secure by Design for CMMI-DEV
• More robust and resilient software, less vulnerability
• Saving money and effort for late and expensive software updates and other
hardening “after the fact”
• Less reputation loss by fewer publications and alerts about security defects
• Less risk of lost, stolen data and manipulated data, and related monetary and
intellectual losses
• More confidence by your customers
• Organizes the developing of secure products by design--rather than some
features
• Fits perfectly with CMMI-DEV, no need to introduce a completely new model
• Written in a language understood by CMMI professionals
• Brings security know-how to the CMMI community--and process know-how to
the security community
© 2013 Clearmodel/CMMI Institute
How to identify an appraisal in SAS that includes
a security element: Organizational Unit Field
© 2013 Clearmodel/CMMI Institute
Model Scope Field
This text does publish to PARS and must be included
in the “Model Scope” field in SAS.
© 2013 Clearmodel/CMMI Institute
Appraisal Phases and Remarks Field
© 2013 Clearmodel/CMMI Institute
Additional ADS Information
This text does not publish to PARS, but it must be
included in the “Additional ADS Information” field in SAS.
© 2013 Clearmodel/CMMI Institute
Appraisal Plan – Model Scope
© 2013 Clearmodel/CMMI Institute
Appraisal Plan – Appraisal Outputs
© 2013 Clearmodel/CMMI Institute
Appraisal Plan – Identified Risks and
Mitigations
© 2013 Clearmodel/CMMI Institute
Summary
Security material is available for CMMI-SVC and CMMI-DEV
• Four PAs for security during development
• A single draft PA for service delivery and enterprise use,
aligned with ISO 27001
• Built by experienced CMMI, development, service, security,
improvement, and appraisal professionals
• In use and tested by multiple enterprises in both
implementation and appraisal
• While not “official” CMMI content, has been used in appraisal
and can be indicated in appraisal records
34
© 2013 Clearmodel/CMMI Institute
Questions?
© 2013 Clearmodel/CMMI Institute
How Can You Stay Informed?
Security by Design with CMMI for Development Version 1.3
http://cmmiinstitute.com/resource/security-by-design-with-cmmi-for-
development-version-1-3/
CMMI for Services and Security Whitepaper
http://cmmiinstitute.com/assets/Security-and-CMMI-SVC.pdf
CMMI for Services Book (with draft Security PA)
www.informit.com/store/product.aspx?isbn=0321711521
When in doubt, contact us at [email protected]
© 2013 Clearmodel/CMMI Institute
Thank you for your attention!
Peter Panholzer, MSc
Limes Security
Softwarepark 26
4232 Hagenberg, Austria
Eileen Forrester
CMMI Institute 11 Stanwix Street, Suite 1150 Pittsburgh, PA 15222