How can I implement the Axis Security Development Model (ASDM) in my development team? (Axis Communications Security Development Model Software User Manual)

Answer

manuals.plus

Feb 21, 2025 - 06:31 AM

To implement the Axis Security Development Model (ASDM) in your development team, follow these steps:

1. Familiarize yourself with the ASDM objectives: The ASDM aims to integrate software security into Axis software development activities, reduce security-related business risks, meet customer security considerations, and enable early detection and resolution of issues.

2. Understand the roles and responsibilities: The Software Security Group (SSG) is responsible for governing the ASDM and evolving the toolbox over time. Satellites, who are developers with a natural affinity for software security, assist in implementing ASDM activities in development teams. Managers secure resources and drive tracking and reporting on ASDM status and coverage.

3. Rollout the ASDM activities: The ASDM activities are rolled out to development teams in a staged process. The team is introduced to the new activity through role-specific training. The SSG works together with the team to perform the activity for selected parts of the system. Once the team is ready to work independently, further activities are handed over to the team and satellite.

4. Follow the ASDM roadmap and rollout plan: The SSG owns the ASDM roadmap and rollout plan. New versions of the ASDM with modified or added activities are rolled out to teams. The time spent by SSG with a team depends on the activity and code complexity. Successful handover to the team requires the presence of an embedded satellite.

5. Monitor ASDM status: The ASDM status structure includes team status, component status, and solution status. Teams assess their ASDM maturity, metrics related to security analysis activities, and security status of components. The line manager is responsible for adopting new ASDM versions.

6. Perform ASDM activities: The ASDM activities include risk assessment, data privacy assessment and analysis, threat modeling, static code analysis, vulnerability scanning, and external penetration testing. Each activity has specific objectives and steps outlined in the manual.

By following these steps, you can effectively implement the Axis Security Development Model in your development team and integrate security throughout the software development lifecycle. For more detailed information and guidance, refer to the AXIS Security Development Model Software User Manual.