The Cigital Workbench

Previous page
Table of content
Next page

A key requirement for putting the RMF into practice is automating aspects of the process. Without automation, the elaborate steps of the RMF can become tedious. Those aspects best suited for automation include tracking, storing, and manipulating data about risks; displaying and measuring data about risks; and providing critical information and automation regarding processes. Note that automation like this supports the notion of ongoing, continual updating and refinement of risk data over time.

Cigital provides professional services based on applying the RMF philosophy. We created and use a toolset called the Workbench to make our jobs as consultants more efficient, effective, and consistent. The Workbench, in some sense, is an automated RMF. It is a combination of simple tools and automated processes used to help consultants assess software quality.

The Workbench has three major components:

  1. Quality workflows and knowledge

    • Automated RMF[9]

      [9] The Workbench automates a more detailed RMF than the one presented in this chapter.

    • Process models and detailed descriptions of software assurance methods (called "the Matrix" internally)

    • Deliverable templates, reporting, and metrics

  2. Project communication and collaboration tools

    • A risk management dashboard, used to communicate risk mitigation status and progress (Figure 2-3)

    • A complete knowledge management and document management system (which in version 1 leverages the Livelink knowledge management software)

    • Decision criteria and guidance

  3. Process evolution and knowledge capture

    • Process models built to be instantiated and adjusted in particular projects

    • History and knowledge catalogs

Figure 2-3. The Cigital Workbench risk management dashboard displays information about software risk and business impact over time.


These components capture fundamental aspects of the RMF.

Central to the idea of the Workbench is the notion of tracking information about risks. The Workbench allows for the automatic creation of technical risk business risk associations, impact analysis, and ranking. Basic risk information is available in a risk log (Figure 2-4). Information about the relationship between business goals and technical risks is displayed in one of many available tables (Figure 2-5).

Figure 2-4. The Cigital Workbench allows technical risks and business risks to be tracked over time. The risk log here provides a snapshot of risk status. Tracking risk status is central to the success of the RMF process.


Figure 2-5. Technical risks must be tied to business goals or wither under the glare of the ultimate question: "Who cares?"




Previous page
Table of content
Next page
Software Security. Building Security In
Software Security: Building Security In
ISBN: 0321356705
EAN: 2147483647
Year: 2004
Pages: 154
Authors: Gary McGraw
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
Absolute Beginner[ap]s Guide to Project Management
High-Speed Signal Propagation[c] Advanced Black Magic
Software Configuration Management
Data Structures and Algorithms in Java
Programming Microsoft ASP.NET 3.5
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy