Model | Design | Security Architecture | Technology Management
Benefit
Transparency of technologies that introduce security risk
Activity
People often take the path of least resistance in developing, deploying or operating a software solution. New technologies are often included when they can facilitate or speed up the effort or enable the solution to scale better. These new technologies might, however, introduce new risks to the organization that you need to manage.
Identify the most important technologies, frameworks, tools and integrations being used for each application. Use the knowledge of the architect to study the development and operating environment as well as artefacts. Then evaluate them for their security quality and raise important findings to be managed.
Question
Do you evaluate the security quality of important technologies used for development?
Quality criteria
| You have a list of the most important technologies used in, or in support of, each application |
| You identify and track technological risks |
| You ensure the risks to these technologies are in line with the organizational baseline |
Answers
| No |
| Yes, for some applications |
| Yes, for at least half of the applications |
| Yes, for most or all of the applications |
Benefit
Technologies with appropriate security level available to product teams
Activity
Identify commonly used technologies, frameworks and tools in use across software projects in the organization, whereby you focus on capturing the high-level technologies.
Create a list and share it across the development organization as recommended technologies. When selecting them, consider incident history, track record for responding to vulnerabilities, appropriateness of functionality for the organization, excessive complexity in usage of the third-party component, and sufficient knowledge within the organization.
Senior developers and architects create this list, including input from managers and security auditors. Share this list of recommended components with the development organization. Ultimately, the goal is to provide well-known defaults for project teams. Perform a periodic review of these technologies for security and appropriateness.
Question
Do you have a list of recommended technologies for the organization?
Quality criteria
| The list is based on technologies used in the software portfolio |
| Lead architects and developers review and approve the list |
| You share the list across the organization |
| You review and update the list at least yearly |
Answers
| No |
| Yes, for some of the technology domains |
| Yes, for at least half of the technology domains |
| Yes, for most or all of the technology domains |
Benefit
Limited attack surface due to usage of vetted technologies
Activity
For all proprietary development (in-house or acquired), impose and monitor the use of standardized technology. Depending on your organization, either implement these restrictions into build or deployment tools, by means of after-the-fact automated analysis of application artefacts (e.g., source code, configuration files or deployment artefacts), or periodically review focusing on the correct use of these frameworks.
Verify several factors with project teams. Identify use of non-recommended technologies to determine if there are gaps in recommendations versus the organization’s needs. Examine unused or incorrectly used design patterns and reference platform modules to determine if updates are needed. Additionally, implement functionality in the reference platforms as the organization evolves and project teams request it.
Question
Do you enforce the use of recommended technologies within the organization?
Quality criteria
| You monitor applications regularly for the correct use of the recommended technologies |
| You solve violations against the list accoranding to organizational policies |
| You take action if the number of violations falls outside the yearly objectives |
Answers
| No |
| Yes, for some applications |
| Yes, for at least half of the applications |
| Yes, for most or all of the applications |
Stream Guidance
- SAMM team guidance Google Doc
- Be the first to add to the Community guidance for this Stream!
Want to contribute?
Complete this Google Form with guidance for this Stream.
To learn more about Stream guidance for the SAMM model, see the Stream guidance page.