Frameworks and maturity models explained скачать в хорошем качестве

Frameworks and maturity models explained

ISO 27001, NIST CSF, NIST SSDF, CIS Critical Security Controls Framework. All these things are called frameworks. But what are they really? Why do we need them? And are they only relevant for GRC teams in large organizations? If all your tools show green dashboards, isn’t that enough to claim your software product is secure? In this episode of AppSec Science I explain why frameworks are essential for systematically managing risk across teams, business units and entire organizations. I map out the full domain of application security, from the broad world of information security all the way down to the most scoped domain, the software development lifecycle. One of the key takeaways, compliance almost never leads to real security. Strong security on the other hand will drastically reduce the effort needed to achieve compliance. And in that space, the best framework to start with by far is OWASP SAMM.