O'Reilly logo

Secure Coding: Principles and Practices by Kenneth R. van Wyk, Mark G. Graff

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

6.4. Risk Assessment Methodologies

The testing and assessment tools and methodologies discussed in earlier sections are each applied at their respective stages of an application's development lifecycle. But in addition to these specific tools and methodologies, there are several approaches to reviewing the overall risk of an application system to a business that are, by and large, independent of where they are applied within the lifecycle. In this section we describe two advanced risk assessment methodologies: ACSM/SAR (Adaptive Countermeasure Selection Mechanism/Security Adequacy Review) and ASSET (Automated Security Self-Assessment Tool).

At least some of the components of ACSM/SAR and ASSET could also be performed at different points within the development lifecycle. For example, evaluating a risk level at design time using the ACSM/SAR process could save you considerable time and expense later.

6.4.1. ACSM/SAR

Some years ago, both of us were lucky enough to work directly on the Security Adequacy Review (SAR), a project initiated and managed at Sun Microsystems by Tim Townsend. The technical software and mathematical theory underpinning the SAR is known as the Adaptive Countermeasure Selection Mechanism (ACSM).

The goal of the ACSM/SAR project was to generate a set of software and processes that would produce a security "specification" for Sun's key applications—the applications ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required