https://community.isc2.org/t5/Tech-Talk/Best-Secure-Software-Development-Frameworks-Methodologies/m-p/17978#M807 <P>Hi,</P><P>&nbsp;</P><P>In order to develop hack-resilient software, it is important to incorporate security concepts in the requirements, design, code, release and disposal phases of the SDLC. Security concepts span across the entire life cycle and will need to be addressed in each phase.</P><P>&nbsp;</P><P>Microsoft has created a strategy that is referred as the SD3+C, this stands for Secure by Design, Secure by Default, secure by Deployment and communication</P><P>&nbsp;</P><P>There is no single framework that addresses for all. The requirements will be changed from project to project.</P><P>&nbsp;</P><P>For example you can use BSIMM/SSMM during the requirement/design phase</P><P>&nbsp;</P><P>BSIMM is short for Building Security In Maturity Model. The BSIMM is a study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time. BSIMM provides some good guidance for secure operations (such as penetration testing, software configuration, configuration management and vulnerability management) during deployment.</P><P>&nbsp;</P><P>Threat modeling Frameworks you can use during design phase</P><P>Open Source Security Testing Methodology Manual (OSSTMM) during testing phase</P><P>&nbsp;</P><P>You can use other NIST/ISO standards</P><P>&nbsp;</P><P>NIST Special Publication (SP 800-18) provides guidance for the development of security plans, incorporating security requirements and controls into the plan</P><P>&nbsp;</P><P>The ISO/IEC 15408 Standard and Software Security<BR />ISO/IEC 21827:2008 – Systems Security Engineering Capability Maturity Model (SSE-CMM)</P><P>ISO/IEC 27002:2005 – Code of Practice for Information Security Management</P><P>Payment Card Industry Data Security Standard (PCI DSS)</P><P>and so forth</P><P>&nbsp;</P><P>DevOps is also a good methodology to incorporate security&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 16 Jan 2019 17:31:33 GMT iluom 2019-01-16T17:31:33Z https://community.isc2.org/t5/Tech-Talk/Best-Secure-Software-Development-Frameworks-Methodologies/m-p/17968#M806 <P>Hello everyone,</P><P>&nbsp;</P><P>I'm currently doing some research into the secure systems/software development frameworks/methodologies that are currently in use.</P><P>&nbsp;</P><P>I'm wondering what frameworks, if any, people in the (ISC)2 community might recommend and why they would recommend them.&nbsp;I would greatly appreciate any useful insights the community could share with me.</P><P>&nbsp;</P><P>Thanks in advance!</P><P>&nbsp;</P><P>- Darin</P> Wed, 16 Jan 2019 08:03:25 GMT https://community.isc2.org/t5/Tech-Talk/Best-Secure-Software-Development-Frameworks-Methodologies/m-p/17968#M806 darinmorris 2019-01-16T08:03:25Z https://community.isc2.org/t5/Tech-Talk/Best-Secure-Software-Development-Frameworks-Methodologies/m-p/17978#M807 <P>Hi,</P><P>&nbsp;</P><P>In order to develop hack-resilient software, it is important to incorporate security concepts in the requirements, design, code, release and disposal phases of the SDLC. Security concepts span across the entire life cycle and will need to be addressed in each phase.</P><P>&nbsp;</P><P>Microsoft has created a strategy that is referred as the SD3+C, this stands for Secure by Design, Secure by Default, secure by Deployment and communication</P><P>&nbsp;</P><P>There is no single framework that addresses for all. The requirements will be changed from project to project.</P><P>&nbsp;</P><P>For example you can use BSIMM/SSMM during the requirement/design phase</P><P>&nbsp;</P><P>BSIMM is short for Building Security In Maturity Model. The BSIMM is a study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time. BSIMM provides some good guidance for secure operations (such as penetration testing, software configuration, configuration management and vulnerability management) during deployment.</P><P>&nbsp;</P><P>Threat modeling Frameworks you can use during design phase</P><P>Open Source Security Testing Methodology Manual (OSSTMM) during testing phase</P><P>&nbsp;</P><P>You can use other NIST/ISO standards</P><P>&nbsp;</P><P>NIST Special Publication (SP 800-18) provides guidance for the development of security plans, incorporating security requirements and controls into the plan</P><P>&nbsp;</P><P>The ISO/IEC 15408 Standard and Software Security<BR />ISO/IEC 21827:2008 – Systems Security Engineering Capability Maturity Model (SSE-CMM)</P><P>ISO/IEC 27002:2005 – Code of Practice for Information Security Management</P><P>Payment Card Industry Data Security Standard (PCI DSS)</P><P>and so forth</P><P>&nbsp;</P><P>DevOps is also a good methodology to incorporate security&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 16 Jan 2019 17:31:33 GMT https://community.isc2.org/t5/Tech-Talk/Best-Secure-Software-Development-Frameworks-Methodologies/m-p/17978#M807 iluom 2019-01-16T17:31:33Z https://community.isc2.org/t5/Tech-Talk/Best-Secure-Software-Development-Frameworks-Methodologies/m-p/18132#M828 <P>Hi&nbsp;<SPAN>Mouli,</SPAN></P><P>&nbsp;</P><P><SPAN>Thank you for sharing your insight. It's much appreciated!</SPAN></P><P>&nbsp;</P><P><SPAN>I'm aware of almost all of the frameworks/methodologies you've mentioned here.&nbsp;</SPAN><SPAN>It's good to see I'm on the right track! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P><P>&nbsp;</P><P><SPAN>- Darin</SPAN></P> Wed, 23 Jan 2019 07:08:10 GMT https://community.isc2.org/t5/Tech-Talk/Best-Secure-Software-Development-Frameworks-Methodologies/m-p/18132#M828 darinmorris 2019-01-23T07:08:10Z https://community.isc2.org/t5/Tech-Talk/Best-Secure-Software-Development-Frameworks-Methodologies/m-p/18210#M831 <P>Hello Darin !</P><P>&nbsp;</P><P>You might also gaze on the&nbsp;OWASP Secure Software Development Lifecycle Project (<A href="https://www.owasp.org/index.php/OWASP_Secure_Software_Development_Lifecycle_Project" target="_blank">https://www.owasp.org/index.php/OWASP_Secure_Software_Development_Lifecycle_Project</A>).</P><P>&nbsp;</P><P>There you´ll find a solid security software methodology for web applications as well as tools and guidelines.</P><P>&nbsp;</P><P>I hope this helps!<BR /><BR />Regards,</P><P><BR />Leandro</P><P>&nbsp;</P> Thu, 24 Jan 2019 14:40:32 GMT https://community.isc2.org/t5/Tech-Talk/Best-Secure-Software-Development-Frameworks-Methodologies/m-p/18210#M831 lcinti 2019-01-24T14:40:32Z