Saturday, May 26, 2018

Security Risk Assessment in The Internet of Things

Internet of Things henceforth referred to as IoT in the article refers to all the devices connected to the internet which “talk” to each other. This means if your washing machine is connected to the Internet and it talks to a cloud server giving its health information to the company’s server, it would qualify as IoT device.So, Simply, the Internet of Things is made up of devices – from simple sensors to smartphones and wearables – connected together.
The IoT is one of the most talked about technologies nowadays. Every company is working on its implementation and introduction into our daily lives. Given the increasing number of cyber-attacks, it makes sense to identify the risks faced by the deployment of this technology. The traditional method of doing a risk assessment involves identifying assets, their weaknesses, threats which they may face and potential danger in case of exploitation. On identification of these risk, they are prioritized and countermeasures are adopted to treat this risks.

These traditional approaches are based on certain assumptions, the primary one being that the dynamism is extremely low. When you identify the assets, this would be one-time activity and these assets won’t change much in a risk assessment period of say 6 months at the least. What if the number of assets and the risk associated with them was to change every minute or day? Clearly, the risk assessment methodologies such as NIST SP 800-30, OCTAVE, FRAP etc are not equipped to handle the complexity which IoT presents us. 

In this blog post, we will try to understand the current methods of risk assessment, their shortcomings in their application to complex systems such as IoT and propose certain methods to handle the issues at hand.

In the earlier blog post on Risk Management, we learned about risk management being defined as:
A process of identifying the threats and vulnerabilities which a business faces, assessing the risk arising out of them, reducing it to an acceptable level and then maintaining that acceptable level.

If we apply the same definition in the IoT environment, the overall concept of risk management remains the same. Wouldn’t it? In principle, yes. However, let us understand the practical challenges here. Risk Assessment is an integral part of Risk Management. Risk assessment has certain methodologies through which we can assess the risk(s) faced by the organization. If we apply, NIST SP 800-30, we need to identify the assets ( IT only), the vulnerabilities, the threats faced and then the calculation of risk and proposing countermeasures to treat the risk and then monitor the complete system. 

Let’s take another one. Facilitated Risk Analysis Approach (FRAP) is focused on identifying the systems that really need assessing to reduce time and costs. It analyses one system, application or a business at a time. Data is gathered and threats to the business operations are prioritized based on their criticality. Since it is a qualitative approach, you ask experts to gather around and discuss the risks which this particular assets, system or application would face.

If you observe these methodologies, you would appreciate the fact that they are focused on identifying critical assets and the harm that may occur to them or the threats faced by a particular asset or an application. This means you follow the asset-based approach or a threat based approach when you use these methodologies.

Clearly, the approach taken by these methodologies apply best to a static system. When the complexity and dynamism in the system changes every minute, such risk assessment methodologies will not stand the test of time. Risk is a complex word in itself. It is a probabilistic measure of a threat exploiting a vulnerability. When threats and vulnerabilities change on a continuous basis, the calculation (quantitative) or identification (qualitative) of risks faced becomes an enormous challenge.

An IoT device is not much of a complete system in itself. It needs the help of many parts to fully function and be usable. It is like a part of the body which is useless without the complete body. In extremely simple terms, an IoT system would be made up of at least 3 components – application, cloud environment and Thing environment. All these would communicate with each other using application programming interfaces. The following article explains this in detail -

Thursday, May 24, 2018

Risk Analysis Approaches

Which color do you like? Choose one – Red, Amber or Green. Let’s try another one – How much would you like your company’s risk to cost – 10,000 $, 20,000 $ or 50,000? Choose one again. Confused? Don’t be. After all, risk analysis is about analyzing risk either in terms of color or a heat map or numbers.

The two approaches to risk analysis are Quantitative & Qualitative. Let’s understand them.

Quanti – tative Approach

This break will help you remember that this approach is related to numbers. Quanti refers to numbers here. We assign monetary and numeric values to all aspects of risk analysis. If you revisit the topic of Risk Assessment, we identified that there are multiple parameters to be taken care of while calculating risk. Hence, in this approach, we assign monetary values to each aspect so that at the end we can quantify or measure what is the value of the risk in dollar terms. 

Let’s understand this through a simple example – 

There is a building which has a cost of 100,000$. There is no fire suppression system installed in the building. In case of a fire, the building may be damaged and will suffer a loss of 25000$ that is, around 25%.  Over past experiences, it has been seen that the fire may occur once in every 5 years. 

This information above has been gathered as a part of risk assessment. Clearly, you can observe that every aspect has been assigned a value. The asset value (cost of building) has been derived at 100,000$. The loss has also been quantified.  This is what Quantitative Analysis is all about. 

Numbers are incomplete without some formulas.  So here comes the formula:

Asset Value * Exposure Factor = Single Loss Expectancy

Asset Value – What is the value of the asset? You have to include (at the risk assessment) all sorts of cost here to make up the asset value such as cost to develop this asset, cost to maintain it, cost to replace it, money spent on it to make it usable, the value of the asset to owners etc. Here the building value has been identified as 100,000$ which is inclusive of all such costs.

Exposure Factor – What is the exposure if the threat materializes? What percentage of the asset value would be destroyed in case of realization of the threat? Here the building is affected by the fire and that would be destroyed by around 25%. This value is the exposure factor.

Single Loss Expectancy - Actual Loss in case of realization of a threat. Notice the word expectancy here. We are expecting that this would be the loss in case of actual fire.

In our example, if we wish to calculate the SLE, it would be like this –

AV – 100,000$

EF – 25% or ¼ or 0.25

Hence, SLE = 100,000 *0.25 = 25,000$.

Therefore, the company would suffer a loss of 25,000$ from a fire.

Wait, the movie has not finished yet. Notice the last line in the scenario above. Past experiences have shown the occurrence of a fire once every 5 years.  What does this mean and how does it fit here?

Every business needs to make such assessments over a year. If a fire occurs once every 5 years, this means the damage due to the loss would be over a period of 5 years, that is, 25,000$ spread over a period of 5 years. This implies that the company can choose to spend 5,000$ every year to cover any losses arising out of this situation.

This leads us to another formula.

Single Loss Expectancy * Annualized rate of occurrence = Annual Loss Expectancy

Annualized Rate of Occurrence – This value represents the estimated frequency with which a specific threat would occur over a period of 1 year. 

Here the ARO would be 1/5 or 0.2.

Hence, the annual loss which the company may face is 25,000$ * 0.2 = 5,000$.

This value would help the company take a decision over the controls it would like to implement and what money would it can spend. 

Risk Assessment Methodology

Having understood Risk Management & Risk Assessment in earlier blog posts, it is time for us to understand the various methodologies of risk assessment. The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus. As a security professional, it is important for us to know the best approach for our organization and its needs.

The first one is a considered a U.S. federal government standard called as the NIST, SP 800-30. 

It lays out the following steps:
• System characterization
• Threat identification
• Vulnerability identification    
• Control analysis
• Likelihood determination
• Impact analysis
• Risk determination
• Control recommendations
• Results documentation

The NIST risk management methodology is mainly focused on: 
a) computer systems.
b) IT security issues. 

2. FRAP (Facilitated Risk Analysis Process)

Qualitative methodology 
Focus only on the systems that really need to be assessed. 
• Helps to reduce costs and time spent in risk assessment.
• Risk assessment steps are only carried out on the item(s) that needs it the most. 
• It is to be used to analyze one system, application, or business process at a time. 
• Data is gathered and threats to business operations are prioritized based on their criticality. 
• The risk assessment team documents the controls that need to be put in place to reduce the identified risks along with action plans for control implementation efforts.
• This methodology does not support the idea of calculating probability or likelihood.
• The criticalities of the risks are determined by the team members' understanding of business processes.
• The goal is to keep the scope of the assessment small and the assessment processes simple to allow for efficiency and cost-effectiveness.

3. OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) 

• Based on the idea that the people working in the environments best understand what is needed and what kind of risks they are facing. 
• The individuals who make up the risk assessment team go through rounds of facilitated workshops. 
• The facilitator helps the team members understand the risk methodology and how to apply it to the vulnerabilities and threats identified within their specific business units. 
• Scope of an OCTAVE assessment is usually very wide compared to the more focused approach of FRAP.
• Where FRAP would be used to assess a system or application, OCTAVE would be used to assess all systems, applications, and business processes within the organization.

4. ISO/IEC 27005 

• is an international standard for how risk management should be carried out in the framework of an information security management system (ISMS). 
• Deals with IT and the softer security issues (documentation, personnel security, training, etc.) 

5. Failure Modes and Effect Analysis (FMEA)

• is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
• commonly used in product development and operational environments. 
• The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break. 

Saturday, May 19, 2018

Understanding Risk Assessment

Risk Assessment is a part of the Risk Management process. It is a method of identifying the vulnerabilities and threats and the impact in case the threat agent exploits the vulnerability to suggest security controls. There are a lot of Risk Assessment methodologies which are available such as NIST SP 800, FRAP, OCTAVE, Delphi etc. to assess the level of risk. 

In simple terms, risk assessment involves identifying weaknesses, threats and potential danger in case of exploitation and basis this you will recommend certain countermeasures.

Sounds Simple? It’s practically the most challenging, time consuming and difficult work in the entire risk management process. Let’s understand what makes this simple straightforward process so difficult to execute. You are a security professional and the CEO calls you to do the security assessment of the site at New Delhi. If you start doing the risk assessment in this case, I assure you that you will end up pulling your hair in the end. Why so? You will realize the answer to this question if you answer the following questions:

1. What is the scope of your risk assessment? 
2. Does it involve only the physical assets of the building? 
3. Do you need to consider all the functions operating out of the building?
4. Do you need to involve the third party vendors under this assessment?
5. Would you include the intangible assets in this assessment?
6. What is the time limit for this assessment?
7. Are there any budgetary constraints for this assessment?
8. What methodology would you choose for the asset valuation? Will you include to be scrapped assets?

Unfortunately, a lot of security professionals and businesses do not identify the answer to these questions before beginning with the risk assessment.  

The most important criteria for any risk assessment is the buy-in from the top management. This buy-in must include the time limit and budget for the risk assessment activity. In some cases, the scope of this assessment may be defined by the top management or the middle management level. If the scope, time and budget are finalized, half of the problem is solved. 

 Let’s talk about the other half. Risk Assessment involves the following 4 steps:

1. Identify the assets and their valuations.
2. Identify the vulnerabilities and threats associated with them.
3. Quantify the probability and business impact of these potential threats.
4. Recommend countermeasures with a balance b/w cost and benefit.

Clearly, you will find that it is really simple to complete these steps. Yes, it is. However, there is a catch. Well, there is always a catch in the security role. Let’s understand this step by step.

1. As a security professional, you may be an expert in security, but you will not be able to understand all the risk a department faces. This issue can be resolved by working with the cross-functional team. Since each organization has different departments, and each department has its own functionality, resources, tasks, hence for or the most effective risk analysis, an organization must build a risk analysis team that includes individuals from many or all departments to ensure that all of the threats are identified and addressed. Hence, there is a lot of dependency amongst this team to work together to do this assessment.

2. Asset identification – Tangible or Intangible or Both – This needs to be finalized in the early stages itself. 

3. Asset Valuation – It is important to ask questions during this phase. There are many costs that are associated with a particular asset which is not limited to the market cost of the asset. The value placed on information is relative to the parties involved, what work was required to develop it, how much it costs to maintain, what damage would result if it were lost or destroyed, what enemies would pay for it, and what liability penalties could be endured. If this activity is not done in a proper manner, it would create an issue when countermeasures are to be deployed. An organization working on advance defense projects would deploy different countermeasures for its servers that an ice cream vending machine remotely controlled by a server.

If all such steps are done, you have completed the risk assessment. Now you can present the report to the CEO which asked you to do the risk assessment. Wait, the CEO has a different report from another professional who was asked to conduct such an assessment. The results are as different as day and night. This is a common issue which comes up when a standard methodology is not followed for risk assessment.

Let’s explore the risk assessment methodologies in the next article. 

What are your thoughts on risk assessment? Which of the following steps do you find the most difficult? Share your thoughts in the comments below.

Wednesday, May 16, 2018

Demystifying Risk Management

When you speak to security professionals or the management in many organizations, most of them are of the opinion that security risk management is all about deploying the latest security tools available in the market with a focus on applications, hacking and malware and nowadays data breach. Although these items are important to be considered, yet they are an extremely small part of the overall information security puzzle.

Consider an organization dealing with nuclear reactor designing and another organization dealing with providing cloud backup solutions. Would the risk management be the same for both the organizations? The answer is NO which most of you would agree upon. Both the organizations would be vulnerable to certain threats which may threaten its business models. Every business exists to make money and security become only an issue when this bottom line is affected. Risk Management should always be done with the objective that threats which are identified do not affect the bottom line. Hence, it is critical that security professionals understand threats faced by a company, but it is more important that they understand how to calculate the risk of these threats and map them to business drivers.

Let’s take up the two scenarios once again. In both the cases, there would be innumerable threats which these businesses will face. Should that business work on resolving every threat it faces? From a business standpoint, it can allot only a certain amount of money to resolve these threats. What security professionals need to understand that even if a company faces innumerable threats through a lot of vulnerabilities, they need to prioritize the risk arising out from these threats and resolve them with the limited budget available to them. In order to do so, every business will come up with an acceptable level of risk which it can withstand even it materializes. 

Basis the above discussion, we can easily define risk management as:

Process of identifying the threats and vulnerabilities which a business faces, assessing the risk arising out of them, reducing it to an acceptable level and then maintaining that acceptable level. 

We must ponder over two important facts here: management & maintaining. Management of the risk means identifying, resolving and then reviewing again and repeating this cycle again. A lot of security professionals confuse this with term Risk Assessment. Risk Assessment is only a part of the overall Risk Management cycle. Maintaining is another important aspect which a lot of companies get confused with. Risk Management should not be a “fit it forget it” approach and must be done on a periodic basis to ensure that the acceptable level of risk is maintained at all times. But what happens when a new risk comes up but does not affect the acceptable level of risk.

Imagine the business handling the nuclear reactor faces a new risk because a vulnerability has been discovered in an application which controls the cooling of the reactor. The vulnerability can be exploited by an attacker by manually logging into the system and running a specific command via the command prompt through an administrator access only. 

What should a security professional do? The first step should be is to assess the change in the risk which has occurred in comparison to the acceptable level. To evaluate this, a risk assessment needs to be done which will help the professional understand what needs to be the future course of action. Many companies, however, do not evaluate the change in the risk levels and start focusing on patching the vulnerability itself which is a wrong approach. You may argue that a new vulnerability when detected may impact the company and hence needs to be patched anyway. So why not focus on patching it straight away? It ultimately boils down to the security budget and resources which you have at your disposal. If the security budget is tight and no resources are available and there is no change in the acceptable risk levels, it would be a good option to either postpone or prioritize the important issues at hand, rather than immediately focusing on patching the vulnerability. 

Since every organization has a finite amount of money and an almost infinite number of vulnerabilities, properly ranking the most critical vulnerabilities to ensure that your company is maintaining the acceptable level of risk, is what risk management is all about. Carrying out risk management properly means that you have a holistic understanding of your organization, the threats it faces, the countermeasures that can be put into place to deal with those threats, and continuous monitoring to ensure the acceptable risk level is being met on an ongoing basis.

Monday, May 14, 2018

Understanding Control Types & Functionality

A safeguard or a control or a countermeasure is implemented to reduce risk an organization faces. 

Let’s understand it through some examples.

1. A company puts in antivirus solutions to reduce the potential danger from malware.
2. Citizens put in steel gates at the entry of the streets in their areas.
3. A leading e-commerce company deploys a backup solution.
4. Person deploys a CCTV at his home.
5. Since the organization could build a perimeter wall, it deploys security guards to man the area around the building.

What do all of these examples have in common? In all of the above examples, we can sense that there is a mechanism which has been deployed to reduce the potential danger which an organization or an individual face. This mechanism reduces the level of risk and is called as a control.

There are 3 types of control which can be deployed:

1. Administrative Controls (Managerial) – Controls that are deployed from a management perspective. Also, known as soft controls as they are soft in nature. Examples of such controls include security policies, training, internal company standards etc.

2. Technical Controls (Logical) – Controls that are technical in nature and deal more from a logical perspective. Deployment of firewalls, encryption, anti-virus, access authentication etc.

3. Physical Controls – These are put in place to ensure physical security. Examples include – security guards, fences, perimeter walls, CCTV, doors, dogs etc.

All these types of controls provide the following six types of functionalities:

1. Preventive – Controls that try to prevent an incident from happening.
2. Corrective – Control that fixes things after an incident has happened.
3. Detective – Where issues can be detected in advance.
4. Recovery – Controls that help you recover from the incident
5. Deterrent -  Discourage an attacker from attacking.
6. Compensating – An alternative control put in place to compensate for the intended control.

These definitions are quite straightforward and should be applied as such. For example – Consider the second example where steel gates have been deployed. Steel gates are a preventive control deployed by the people. Your train of thought may also run in this manner. An attacker would see the steel gate and find it to be a deterrent, and hence this must be considered a deterrent control. Note that in any case, you need to understand the basic intent behind that control and you’ll get the functionality right. A steel gate has been deployed to prevent something bad from happening and hence is a preventive control.

Another point to remember is that the controls must be deployed in layered fashion like an onion. It is advisable to put preventive, detective and corrective controls in a layered fashion to ensure that you  should be able to prevent the attack from happening in the first case ; if you could not prevent it, you should be able to detect it and in case you failed to detect it, you should be able to correct what has happened.

Let’s leave you with something to work upon. 

Todd is a security specialist deployed by a leading e-commerce company. He has been asked to create a list of preventive controls which can be deployed to protect the company’s internet facing servers from being hacked. Can you list down a few preventive controls to help Todd?

Saturday, May 12, 2018

Understanding Vulnerability, Threat & Risk

Consider the following two examples:

There is an office building where there are no physical security controls. There is no perimeter wall to surround the building. On entry, you do not find any identification proofs being asked. There is no baggage scanner.

An e-commerce company has around 50 computers in an office through it which it manages its back-end operations. The systems are not connected to the Internet and hence no anti-virus solutions are installed in the systems. Moreover, anyone can log in these systems as there is no authentication (simply stated – no username, password) mechanism to log in the systems.

What do you make of the above scenarios? I sense that you understand that in both the above situations, there is a risk to the building and the company. Let’s understand the definitions of the three most commonly used terms in information security.

Vulnerability – Weakness. In other words, the inability to withstand the effects of a hostile environment. In terms of information security, we refer to a weakness from the aspect of physical security or logical, i.e. it can be hardware, software, human or physical weakness.
Now read the scenarios once again. Can you identify the vulnerabilities in these scenarios? In the first one, one of the weakness can be a lack of the perimeter wall. Here the perimeter wall would be called in as a countermeasure. A countermeasure is a safeguard that is put in place. Hence vulnerability can also be defined as “lack of countermeasure”. Another weakness is that there are no identification proofs being asked which allows anyone to enter the building.

In the 2nd scenario, lack of antivirus solution will be considered as a vulnerability. The lack of any authentication mechanism is also a weakness.

Threat – Potential Danger of the vulnerability being exploited. In the first scenario, there is a threat of a person entering the building and attacking it. In the 2nd scenario, there can be a potential danger of the systems being exposed to viruses or encrypted via a ransomware attack. In both these cases, there is a potential danger of the weaknesses in the systems being exploited by an entity. This entity is known as the threat agent. So simply stated, the threat agent is an entity that can exploit the weaknesses in the system. A threat agent can be a person or a software or a bot.

Risk – Read the above scenarios once again. What is the likelihood here that the building will be attacked or the systems will be hit with a ransomware attack? It is this probability which you calculate or guess via your experience is the risk. The risk in numerical terms will be a multiplication of threat and vulnerability as defined in many books. If the vulnerability gets exploited by a threat agent, damage may occur. Hence, the real potential damage which can happen is Risk.

Let me ask you another question. Do you think the risk would change if I give you additional information that the office building is near a military zone and the systems have the USB ports disabled? If your answer to this is yes, it’s great. This is called as the context in which you talk about Risk. A risk is not something which is calculated once and acted upon or which is common in every context or scenario. With changing scenarios and conditions and countermeasures, risk changes. Unfortunately, many organizations do not understand this fact.

Let’s consider the following scenario to understand these terms better once again.

JJ is the new security manager in a firm. He is asked to review the risk which his organization faces and submit a report. Upon analyzing the company controls, JJ finds that the company does not have an asset inventory in place. The users are also not aware of the policies and procedures of the organization.

1.       What would JJ classify the awareness issue as?
a.       Threat
b.       Threat Agent
c.       Risk
d.       Vulnerability.
2.       How you classify the asset inventory issue?
a.       Threat
b.       Threat Agent
c.       Risk
d.       Vulnerability

Write your answers in the comment section below. 

Monday, May 7, 2018

8 Important Cybersecurity lessons to learn from Avengers

1. Security isn’t just one person’s responsibility - To be truly effective, we need to develop a culture of security that transforms it into a company-wide effort. In most organizations, it is believed that security is either the responsibility of the security administrator or the chief security officer. It is the responsibility of everyone in the organization from the foot soldier to the king.

2. Hackers Hail from All Over the world (maybe even beyond) – Your hacker can hail from any part of the world. The organization can be attacked from any part of the world and this cannot be limited to just your district or state or country your organization is based out of. Well, Thanos was nowhere from this world and still he wanted something from Earth.

3. You need to be a team player – Security team needs to work with various cross-functional teams to achieve results. Avengers is what team means and you need to be a team player and keep aside your differences to ensure security is implemented in the best manner possible.

4. Communication is key - Your coworkers will always have different ideas, motivations, and communication styles than you do — so it's imperative that you take the time to actively listen to the other members of your team when they speak up with their ideas or objections. 

5. Good security comes in layers – You're on a battlefield. There's an impenetrable mass of troops in front of you. You can't possibly break through it. What do you do? Defense In Depth is an ancient military strategy designed to solve exactly this problem. The battle in Wakanda shows that we need to be prepared on multiple fronts to save our precious infrastructure.

6. Improving security isn’t a one in a lifetime activity –  If you have followed Iron Man, who is an integral part of Avengers, you would appreciate the changes which he has brought into his suit. The latest Iron Man’s suit in Avenger’s Infinity War boasts of Nanotechnology being integrated into it. In a similar sense, we need to bring about changes in our security deployment basis the risk assessment done on a continuous basis.

7. Preparing for the Inevitable –  We need to be always prepared for the inevitable. Security isn’t a morning activity which needs to be performed once in the morning like brushing your teeth. Being prepared for an attack 24*7 by implementing various security controls is the key to survival.

8. Beware of “red flags.” – When security teams highlight the vulnerabilities through risk assessments, internal audits or when the SIEM tools beep continuously, do not ignore those red flags. If you ignore these early warnings, you may end up getting half of your organization’s finances and brand value wiped in no time.

Image Courtesy : Google & Marvel.

Blog Updates for the Reader

Thank you for being a part of this journey with me. Your love and affection have helped me to continuously improve myself and write about information security both in general and related to the CISSP and SSCP exam. I have been thinking about the future course of this blog and based on analysis of the previously published blog posts and reader’s feedback through various channels, going forward, the blog would be segregated into the following major categories.

1. Opinion – This would be a column where I would be sharing my viewpoints giving relevant examples.

2. Technology/ Cybersecurity Series – This would be 3/5-part series on upcoming technologies, process improvements to help you understand the technology/process in a simple manner and then instigate you to think about security concerns in those topics.

3. Exam Related Updates / Course Content – All details about the exam updates/happenings and the entire course material of SSCP & CISSP exam will be posted on the blog. 

4. Video Courses – The Video Courses of various exams will be posted on the YouTube Channel and the blog.

In addition to this, there may be general articles on various trending security happenings occasionally.

I request your co-operation and utmost support to help me improve this blog so that I can present you security related stuff in an easy, engaging and simple format. Your comments and feedback are highly valuable to me. Share your ideas, opinions or suggestions in the comments section below.

Thank you once again to all the readers around the world. Keep reading and sharing :)

Friday, May 4, 2018

CISSP Domain 8 Changes - 2018 vs 2015

Domain 8 also sees very little change in terms of course content.

2015 Exam Outline
2018 Exam Outline
Understand and apply security in the Software Development Life Cycle (SDLC)
  • Development methodologies
  • Maturity models
  • Operation and maintenance
  • Change management
  • Integrated product team

Understand and integrate security in the Software Development Life Cycle (SDLC)
  • Development methodologies
  • Maturity models
  • Operation and maintenance
  • Change management
  • Integrated product team

#No Change
Enforce security controls in development environments
  • Security of the software environments
  • Security weaknesses and vulnerabilities at the source-code level
  • Configuration management as an aspect of secure coding
  • Security of code repositories
  • Security of application programming interfaces

Identify and apply security controls in development environments
  • Security of the software environments
  • Configuration management as an aspect of secure coding
  • Security of code repositories

#No Change
Assess the effectiveness of software security
  • Auditing and logging of changes
  • Risk analysis and mitigation
  • Acceptance Testing

Assess the effectiveness of software security
  • Auditing and logging of changes
  • Risk analysis and mitigation

#No Change. Just removed acceptance testing.
Assess security impact of acquired software
Assess security impact of acquired software
#No Change

Define and apply secure coding guidelines and standards
  • Security weaknesses and vulnerabilities at the source-code level
  • Security of application programming interfaces
  • Secure coding practices

#No Change. Added secure coding practices.

In Summary ,

 %Weightage in 2015 
% Weightage in 2018
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communications and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security