en:cs:quality_report

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

en:cs:quality_report [2018/02/11 21:55] – [Corporate requirements] fraggleen:cs:quality_report [2021/12/27 18:25] (Version actuelle) – modification externe 127.0.0.1
Ligne 69: Ligne 69:
 ===== Product Standards Compliance Process ===== ===== Product Standards Compliance Process =====
  
-The Product Standards (PS) Compliance process is a process in where every SAP product needs to plan, implement, test, and report its fulfillment of the product standard requirements. This process is a lean governance type one. +The Product Standards (PS) Compliance process is a process in where every SAP product needs to plan, implement, test, and report its fulfillment of the product standard requirements. This process is a lean type governance one. 
  
 ==== Governance Model ==== ==== Governance Model ====
Ligne 210: Ligne 210:
 ==== Role of the Product Standard Security requirements ==== ==== Role of the Product Standard Security requirements ====
  
-By introducing the risk-based secure Software Development Lifecycle the product standard security acts as product security knowledge base containing best practices of secure software development and as a threat-library for the program specific risk assessment. The question whether a program needs to comply with a product standard requirement or not depends on the underlying risk that was identified and rated during the risk assessment.  According to the lean governance concept the Product Owner is responsible to ensure an adequate security level in the product by managing risks and mitigations diligently. As a consequence a program can decide which risks can be accepted and which risks need to be partlxy or full mitigated, as long corporate requirements are not violated.+By introducing the risk-based secure Software Development Lifecycle the product standard security acts as product security knowledge base containing best practices of secure software development and as a threat-library for the program specific risk assessment. The question whether a program needs to comply with a product standard requirement or not depends on the underlying risk that was identified and rated during the risk assessment.  According to the lean governance concept the Product Owner is responsible to ensure an adequate security level in the product by managing risks and mitigations diligently. As a consequence a program can decide which risks can be accepted and which risks need to be partly or full mitigated, as long corporate requirements are not violated.
  
 In case of corporate violations in addition an exceptional approval needs to be requested. In case of corporate violations in addition an exceptional approval needs to be requested.
  
-Links to the requirements are provided in the table below ordered by relevant security topics. In addition, further columns of the table indicate if a requirement belongs to (A) Regulatory Compliance (B) Vulnerability Prevention (C) Strategy and Reduction of Attack Surface.+List of the requirements is provided in the table below ordered by relevant security topics. In addition, further columns of the table indicate if a requirement belongs to (A) Regulatory Compliance (B) Vulnerability Prevention (C) Strategy and Reduction of Attack Surface.
  
 ==== List of Product Standard Requirements ==== ==== List of Product Standard Requirements ====
Ligne 275: Ligne 275:
 | SEC-244 - Deliver with a secure default configuration | | |X|  | SEC-244 - Deliver with a secure default configuration | | |X| 
 | SEC-275 - Enforce address space layout randomization, executable space protection and buffer overflow protection | | |X|  | SEC-275 - Enforce address space layout randomization, executable space protection and buffer overflow protection | | |X| 
-| Secure-by-design | | | |+**Secure-by-design** | | | |
 | SEC-219 - Provide a risk-adequate second line of defense against malicious input from the Internet | | |X|  | SEC-219 - Provide a risk-adequate second line of defense against malicious input from the Internet | | |X| 
 | SEC-228 - Protect upload, download and display functions of untrusted files against MIME-type sniffing and virus attacks | | |X|  | SEC-228 - Protect upload, download and display functions of untrusted files against MIME-type sniffing and virus attacks | | |X| 
Ligne 324: Ligne 324:
 The Global Security Policy is a criticality driven approach. The Global Security Policy is a criticality driven approach.
 The Corporate requirement Develop and Operate Secure Software Products defines the following non-compliance: The Corporate requirement Develop and Operate Secure Software Products defines the following non-compliance:
-  * Known open vulnerabilities with CVSS base score >=7.0 are going to be delivered or re-delivered to customers in a new release or support package+  * Known open vulnerabilities with CVSS (Common Vulnerability Scoring System) base score >=7.0 are going to be delivered or re-delivered to customers in a new release or support package
  
 Besides of corporate product standard requirement deviations a corporate requirement non-compliance can also happen in case of a  process violation. Besides of corporate product standard requirement deviations a corporate requirement non-compliance can also happen in case of a  process violation.
  
-For Security and DPP this means:+For Security and DPP (Data Protection & Privacy) this means:
   * A Security Validation Report is rated by two stars or less can be considered as a process violation and exceptional approval needs to requested    * A Security Validation Report is rated by two stars or less can be considered as a process violation and exceptional approval needs to requested 
  • en/cs/quality_report.1518382549.txt.gz
  • Dernière modification : il y a 3 ans
  • (modification externe)