Software Security Standards

Following good practices can help the project succeed. Those good practices are often articulated in known and well established standards.

A security standards is set of ideas, not exhaustive or perfect but comprehensive enough so that hopefully almost every use case is covered.

Examples include the ISO27000 series and ISO27034 for Application Security.

Auditors often use COBIT: Control Objectives for IT and related technology. It’s a standard for management practices and processes.

NIST also have the SP800-37 and 39 that deals with risks in software development lifecycle.

For application security, the OWASP TOP10 is the gold standard. OWASP also creates and maintain the SAMM (Software Assurance Maturity Model).

Summary: we can only protect against risk we are aware of an anticipate. Standards help ensure that all software security factors have been identified.