Building Security In Maturity Model Partly Applies to Detection and Response

Building Security In Maturity Model Partly Applies to Detection and Response

Gary McGraw was kind enough to share a draft of his new Building Security In Maturity Model. I'm not a "software security" guy but I found that the Governance and Intelligence components of the Software Security Framework apply almost exactly to anyone trying to build a detection and response, or "security operations", center. Consider:

• Governance




• Strategy and Metrics


• Compliance and Policy


• Training




• Intelligence




• Attack Models


• Security Features and Design


• Standards and Requirements

I think the whole document is just what the software security world needs, but the two sections should apply equally well, and almost without any modification, to someone trying to build a detection and response operation or at least trying to assess the maturity of their operation.