Domain 6:
Secure Software Lifecycle Management
6.1
Secure Configuration and Version Control (e.g., hardware, software, documentation,
interfaces, patching)
6.2
Define Strategy and Roadmap
6.3
Manage Security Within a Software Development Methodology
- Security in adaptive methodologies (e.g., Agile methodologies)
- Security in predictive methodologies (e.g., Waterfall)
6.4
Identify Security Standards and Frameworks
6.5
Define and Develop Security Documentation
6.6
Develop Security Metrics (e.g., defects per line of code, criticality level, average remediation time, complexity)
6.7
Decommission Software
- End-of-life policies (e.g., credential removal, configuration removal, license cancellation, archiving)
- Data disposition (e.g., retention, destruction, dependencies)
6.8
Report Security Status (e.g., reports, dashboards, feedback loops)
6.9
Incorporate Integrated Risk Management (IRM)
- Regulations and compliance
- Legal (e.g., intellectual property, breach notification)
- Standards and guidelines (e.g., International Organization for Standardization (ISO), Payment Card Industry (PCI), National Institute of Standards and Technology (NIST), OWASP, Software Assurance Forum for Excellence in Code (SAFECode), Software Assurance Maturity Model (SAMM), Building Security In Maturity Model (BSIMM))
- Risk management (e.g., mitigate, accept, transfer, avoid)
- Terminology (e.g., threats, vulnerability, residual risk, controls, probability, impact)
- Technical risk vs business risk
6.10
Promote Security Culture in Software Development
- Security champions
- Security education and guidance
6.11
Implement Continuous Improvement (e.g., retrospective, lessons learned)