As a security professional you will constantly be assessing the the security posture of your organization. For this assignment, we will be taking an industry standard assessment framework, BSIMM, and apply it to our fictitious incident that we developed during week 1. Using the incident detail provided below, complete an assessment of Full Sail's application security practices and provide a list of recommendations on how it can be improved. 

Incident Scenario:
 

Following the incident that you wrote about in week 1, Full Sail's information security leadership has decided to perform an audit of Full Sail's software development practices to gain an understanding on where Full Sail's processes can be improved. To accomplish this, the information security team has outlined a list of desired requirements from the Building Security In Maturity Model (BSIMM) framework (refer to Part 6: The BSIMM Activities in the BSIMM Foundations PDF). For this assignment, you will read the background information for each section, familiarize yourself with the requirements defined in BSIMM, and write up what Full Sail's development team needs to do to comply with the defined requirements.

 

GOVERNANCE
 

STRATEGY & METRICS
 

Full Sail has been developing software from a feature perspective. As in, the developers are focused on deploying the features desired from the development leadership. There is a loose process between the developers to ensure that the changes being made don't break the application when deployed, but the process doesn't go beyond this. Of the developers, there is one that has an interest in trying to develop secure code, but he doesn't have the tools or buy-in from leadership to really act on it. 
 

BSIMM Requirements

SM1.1
 

SM2.7
 

 

COMPLIANCE & POLICY

Full Sail has a compliance specialist that works to ensure that the university is in alignment with regulatory compliance, namely GLBA and FERPA. However, there is not a written policy that defines the processes and procedures that need to be adhered to in order to ensure that compliance is carried out amongst all faculty. There also isn't a lot of understanding around how Personally Identifiable Information (PII) is handled within the applications that manage it. Finally, due to compliance being a large part of university accreditation, the compliance specialist does a thorough job of training executives on the regulatory compliance that needs to be adhered to, but there isn't a lot of training on the consequences of non-compliance. 
 

BSIMM Requirements

CP1.1

CP1.2

CP1.3

CP2.5

 

TRAINING

Full Sail provides company-specific information security awareness training to all of it's faculty, but nothing specific to software development. 
 

BSIMM Requirements

T1.1

T1.7

T2.8

T2.9

 

INTELLIGENCE

ATTACK MODELS
 

Full Sail subscribes to a commercial threat intelligence service to keep them up-to-date on the threats that Full Sail may experience. The Full Sail information security team also maintains a list of the top five threats to Full Sail University and works to tailor their defenses to best combat those threats at a high level. However, Full Sail hasn't gotten to a level where they are tailoring their defenses to technology-specific threats.
 

BSIMM Requirements

AM1.5
 

AM2.2

AM2.5
 

 

SECURITY FEATURES & DESIGN

Full Sail has a variety of security tools utilized by the information security team, and practices around hardening the operating systems and infrastructure used at the university. However, this information is only partially communicated to the development teams, and it is often not timely. There is no regular cadence between the security team and the development team to exchange information on best practices.  
 

BSIMM Requirements

SFD1.1

SFD1.2

 

STANDARDS & REQUIREMENTS

Just as there are few comprehensive policies in place at Full Sail, there are also very few documented standards. There is, however, requirements adhered to around matters that deal with compliance like GLBA and FERPA. 
 

Full Sail also, has a process where annually they review these compliance requirements to ensure that they are still maintaining alignment with the most up-to-date standards. 
 

Finally, there is a boilerplate Service Level Agreement (SLA) in place for dealing with vendors, but that SLA does not contain any requirements around software security.
 

BSIMM Requirements

SR1.1

SR1.3

SR2.2

SR2.5

 

SSDL TOUCHPOINTS
 

ARCHITECTURE ANALYSIS
 

As discussed previously, there is not any form of security reviews being performed during the development process. However, there are members of the team that are interested in how they can develop software more securely.
 

BSIMM Requirements

AA1.1

AA1.2
 

AA2.2
 

AA2.4

 

CODE REVIEW

Full Sail's development team does not utilize a standard set of static code analysis tools, but some of the developers have taken the liberty to utilize the free tier SonarQube to scan some of their code before they check it in. 
 

BSIMM Requirements

CR1.2

CR1.4
 

CR2.8

 

SECURITY TESTING

As discussed, there are loose Quality Assurance activities performed to ensure that the code being checked in by the various developers don't break the FSO application, but they are focused on feature functionality and performance alone. 
 

BSIMM Requirements

ST1.1

ST1.3

 

DEPLOYMENT

PENETRATION TESTING
 

As part of Full Sail's compliance requirements, Full Sail hires a 3rd party penetration tester to test its security annually. However, Full Sail has no internal penetration testing capabilities that it leverages.
 

BSIMM Requirements

PT1.1

PT1.3

 

SOFTWARE ENVIRONMENT

As discussed, Full Sail's information security team has defined hardening requirements for their operating systems and infrastructure, but there is a gap when it comes to the tools and infrastructure used by the development team. 
 

BSIMM Requirements

SE1.2
 

 

CONFIGURATION MANAGEMENT & VULNERABILITY MANAGEMENT

Full Sail's information security team has worked with the university to develop a comprehensive Incident Response Plan (IRP), and it interfaces with the software development team insofar that there is a procedure to ensure that applications can be restored from backups in the case of an incident. However, there is not a procedure in place for the development to make emergency changes to the code base that has been tested. 
 

BSIMM Requirements

CMVM1.1

CMVM2.1

CMVM3.4

 

Objectives and Outcomes:

Upon completion of this activity, you should be able to:

• Demonstrate how the BSIMM framework can be applied to an organization's processes.
• Understand at a high level how to perform an audit for an application security program.
• Develop the skills associated with thinking about an organization's security program in the terms of an industry standard framework.

Deliverables:

Deliver a Word Document or PDF file:

• You will upload the document with the file named LastnameFirsname_week1.docor LastnameFirsname_week1.PDF