What I found particularly interesting was the section on how they mitigate risks that have been identified by their threat models. From the article:
The software security field has maturedAnd in reference to the approach EMC came up with:
over the past decade, and a wealth of information
on how to mitigate many common issues is widely
available—but the quality and consistency of that
information varies.
The mitigation strategies include changesFrom the brief description of their approach it seems to me that it nicely complements the MMM ideas I have been espousing, which fundamentally are based on the same concerns (the immature mitigations that are readily available on the web).
that developers can make during the design phase
as well as downstream coding, documentation, and
maintenance considerations. Where appropriate, the
guidance includes sample code and references to rec-
ommended toolkits and frameworks. It also includes
alternative mitigations along with their implications
and when they should or shouldn’t be considered.
They definitely do not have a "one size fits all" all approach to their mitigations, and you could almost refer to it as Pick 'n' Mix (albeit a bit flippantly). The point is (and I'm reading between the lines here) is that they have different solutions for different situations, but solutions tailored to their needs, and the solutions are not just technical but address a range of activities from the development life-cycle.
It's good to see a company taking a well-rounded approach to their mitigation strategies, let's hope more companies can learn from them.
No comments:
Post a Comment