Up to this point, all of the Vulnerability Manager functionality we have talked about has been centered around applications and vulnerabilities: tracking your application portfolio, importing and consolidating vulnerabilities, auto-generating virtual patches, and integrating with defect tracking systems. However, security isn’t only about vulnerabilities and their remediation – you also need to understand your organization’s practices for creating security software. How good are they and are they getting better over time?
Vulnerability Manager allows you to evaluate development teams and their practices against common maturity models. This provies a central location for sofware securty teams to compare teams to one another as well as lay out roadmaps for improving team practices over time.
The current implementation works by uploading XML templates describing the maturity model you want to use for evaluation as well as interview questions to help determine if the described practices are in place. Right now we support the Software Assurance Maturity Model and the evaluation interview questions are adapted from work done by Nick Coblentz. In the future we will likely support other maturity models in the space such as the Building Security In Maturity Model (BSI-MM).
Just for the fun of it – and to see how well we could support different maturity models – I put together an XML version of Joel Spolsky’s Joel Test. This is a basic 12-question survey to see if a software development team has basic best-practices in place. It isn’t security specific, but does serve as a useful guide for basic development practices. It isn’t included in the “technology preview” release but email me if you would like a copy. It will probably be included in subsequent releases.
Down the road we hope to be able to correlate team practices and maturity levels to the security of the software those teams are creating. That will let software security teams answer questions like “Are the teams we provided secure coding training to introducing fewer vulnerabilities?” and “Did deploying a static analysis tool reduce the time required to fix vulnerabilities?”
So Vulnerability Manager isn’t all about vulnerabilities. A goal is to provide a central place for software security teams to perform their job functions and to be able to use that central data to make better business decisions. Provding facilities to track team maturity and lay out roadmaps helps software security teams both see the state of their world today as well as plan for the future.
dan _at_ denimgroup.com