Abstract
Acquired software may introduce new vulnerabilities in IT environments. Risk officers need a method for assessing the security of the IT products they procure and the impact they may have on the organization’s risk posture.
Experts agree that secure software is the result of a comprehensive process and that the maturity of secure development practices varies across technology providers. Methods that are appropriate for assessing the security of software developed without security in mind can be counterproductive for assessing the security of products developed by organizations with a mature secure software development methodology.
This paper outlines approaches for assessing the security of acquired products depending on the maturity of the technology provider developing the product.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
[AlMR05] Alhazmi, Omar and Malaiya, Yashwant and Ray, Indrajit: Security vulnerabilities in software systems: a quantitative perspective. In: Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security (DBSec’05), Springer-Verlag, 2005, p. 281-294.
[ISO-AS] International Standard ISO/IEC 27034-1: Information technology – Security techniques – Application security – Part 1: Overview and concepts, 2011, p. 10.
[ISO-CC] International Standard ISO/IEC 15408-1: Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model, 2009.
[ISO-VD] International Standard ISO/IEC 29147: Information technology – Security techniques – Vulnerability disclosure, 2014.
[ISO-VH] International Standard ISO/IEC 30111: Information technology – Security techniques – Vulnerability handling processes, 2013.
[HoLi06] Michael Howard, Steve Lipner, The Security Development Lifecycle, Microsoft Press, 2006.
[Mcgr06] Gary McGraw: Software Security: Building Security In, ISBN 978-0-321-35670-3, 2006.
[OCC-13] US Department of Treasury – Office of the Comptroller of the Currency – Bulletin 2013-29: Risk Management Guidance, 2013.
[Safe11] SAFECode: Fundamental Practices for Secure Software Development – 2nd Edition, http://www.safecode.org, 2011.
[US-NVD] National Institute of Standards and Technology: National Vulnerability Database, http://nvd.nist.gov/.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer Fachmedien Wiesbaden
About this paper
Cite this paper
Baize, E., Lipner, S. (2014). An Effective Approach for Assessing the Risk of Acquired IT Products. In: Reimer, H., Pohlmann, N., Schneider, W. (eds) ISSE 2014 Securing Electronic Business Processes. Springer Vieweg, Wiesbaden. https://doi.org/10.1007/978-3-658-06708-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-658-06708-3_3
Published:
Publisher Name: Springer Vieweg, Wiesbaden
Print ISBN: 978-3-658-06707-6
Online ISBN: 978-3-658-06708-3
eBook Packages: Computer ScienceComputer Science (R0)