SC&A: How MassMutual Builds Secure Applications
MassMutual's SC&A (security certification and accreditation) process:
By Lauren Gibbons Paul
February 01, 2005 — CSO — 1. An IT person sends a request for an IT building permit to the information security department. An infosec "consultant" goes through a short triage, and either sends the project for more evaluation or gives it a green light if the security risk is minimal.
2. The assigned consultant helps the project manager with a more detailed security questionnaire. The answers help the security consultant categorize the project as high-, medium- or low-risk.
3. The consultant continues to meet with the IT project team during development or vendor selection, checking the work against documented in-house security policies.
4. After basic system testing, the project applies for a certificate of occupancy, then heads into the quality assurance phase of testing.
5. After Q/A, the CISO signs the certificate of occupancy, and the application or system is placed in the production environment.
Read more about application security in CSOonline's Application Security section.
Other stories by Lauren Gibbons Paul
In-depth information on tools and strategies for writing secure code, finding vulnerabilities, and other critical application security issues
10 steps to secure browsing
Holistic patch management, browser settings, filtering, and other tactics
Vulnerability management: The basics
5 key tenets for making the most of vulnerability management efforts
Software security for developers
Building security in, from the requirements phase through deployment
Software security for app dev managers
Building and managing a software security program that pays off
How to use source code analysis tools
How to use web application vulnerability scanners
How to compare patch management software
Ranum: Does disclosure work?
- A Step-by-Step Guide to Building Virtualization Maturity and Maximizing Virtualization Outcomes
- A Road Map for Best Practice Social Media Acceptable Use Policy
- LogRhythm: The Platform for Cyber Threat Defense, Detection & Response
- LogRhythm CTO & Co-Founder takes "Deep Dive" Into LogRhythm's SIEM 2.0 Platform
- KPMG & LogRhythm: Apply Continuous Monitoring via SIEM 2.0 for Maximum Visibility & Protection
- Introduction to VMware vCenter Site Recovery Manager 5
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
