Professional, Intermediate, Novice User Guide for all of Us

Working Out, Sweating it Out - Cigital Workbench

August 18th, 2008 chris

Doing Risk Management is a tedious process without automation. A key requirement for putting a Risk Management Framework into practice is automating aspects of the process. Those aspects best suited for automation include tracking, storing, and manipulating data about risks; displaying and measuring data about risks; and providing critical information and automation regarding processes.

Cigital provides professional services based on applying the Risk Management Framework philosophy. Using a toolset called the Workbench makes our jobs as consultants more efficient, effective, and consistent. It is a combination of simple tools and automated processes used to help consultants assess software quality.

The Workbench has three major components:

  1. Quality workflows and knowledge

    • Automated RMF

    • Process models and detailed descriptions of software assurance methods (called “the Matrix” internally)

    • Deliverable templates, reporting, and metrics

  2. Project communication and collaboration tools

    • A risk management dashboard, used to communicate risk mitigation status and progress

    • A complete knowledge management and document management system

    • Decision criteria and guidance

  3. Process evolution and knowledge capture

    • Process models built to be instantiated and adjusted in particular projects

    • History and knowledge catalogs

Posted in Software Security

The Five Stages of Activity

August 11th, 2008 chris

The Risk Management Framework consists of the five fundamental activity stages:

  1. Understand the business context

  2. Identify the business and technical risks

  3. Synthesize and prioritize the risks, producing a ranked set

  4. Define the risk mitigation strategy

  5. Carry out required fixes and validate that they are correct

Posted in Software Security

Risk Management Framework

August 10th, 2008 chris

Risk Management Framework(RMF) is at its heart a philosophy for software security. Following the RMF is by definition a full lifecycle activity, no matter whether you’re working on a little project or a huge corporate application strategy. The key to reasonable risk management is to identify and keep track of risks over time as a software project unfolds. As touchpoints are applied and risks are uncovered, for example, an RMF allows us to track them and display information about status. Risk management is a high-level approach to iterative risk management that is deeply integrated throughout the software development lifecycle (SDLC) and unfolds over time. The basic idea is simple: identify, rank, track, and understand software security risk as it changes over time.

Posted in Software Security

Next Entries »