5

How do these three concepts fit together:

The Software Development Process (SDP) indicates the different phases of creating an application. Well known processes are waterfall, spiral, agile, extreme programming, etc.

OWASP Clasp and Microsoft SDL are process to improve the security of applications. They way I understand it is that they do not replace software development processes, but are to be integrated into them. Would I be right to assume that Clasp and SDL would have to be adapted to the chosen SDP?

And finally there are security standards, like the ISO 27000 family, and various others (NIST, BSI, IEC etc). How do these fit into the picture? Are these bigger frameworks into which the above points are embedded?

schroeder
  • 123,438
  • 55
  • 284
  • 319
daniel f.
  • 281
  • 1
  • 6

1 Answers1

1

As for the ISO 27000 family, it has a list of controls which are part of the management system that you have to specify if they are relevant to your scope of implementation or not. Theses controls specifies the requirements of what you should do but gives you the freedom in how do you do it. Meaning, you have the freedom to inject the requirements of the ISO 27000 into your development processes.

An example of a control is "system acceptance testing" which requires those who are conforming to the standard to have acceptance testing for changes within the current assets. I let it to you to figure where this may fit in your organization processes.

HTH

RAO
  • 11
  • 3