Software Security Automation: Security Controls Evaluation Criteria

Written by ND-ISAC Application Security Working Group

In “Software Security Automation: Security Controls Evaluation Criteria“, members of the National Defense Information Sharing and Analysis Center (ND-ISAC) offer a practical approach for any enterprise application security team to use when selecting security tools for their organization. This Tool Evaluation Framework compliments the ND-ISAC AppSec Working Group’s previous white paper, “Software Security Automation: A Roadmap Toward Efficiency and Security” with detailed criteria and a framework for evaluating and scoring security automation tools.

After publishing the foundational “roadmap” paper, ND-ISAC members regrouped to establish a detailed guide for security practitioners who are evaluating security vendors and their wares.  Authors of the “Tool Evaluation Framework” have selected, implemented, and operated the tools categorized in this framework at enterprise scale. As consumers of these products, and readers of industry white papers, the AppSec Working Group appreciates the need for prescriptive advice. As much as security teams need a strategy, they also need a practical way forward.

To help organizations with their security control selection process, this white paper provides a quantitative, criteria-based approach through the implementation of a grading requirement framework. The content of the paper focuses on integration, detection, protection, and compliance requirements and common feature sets offered by security tool vendors to fulfill the organizational needs.  Regardless of the characteristics of your organization and its processes, selecting the right tools to satisfy these requirements and enable security automation is a key component in securing your SDLC and improving your cyber hygiene strategy.

The audience for this white paper includes security engineers, lead software engineers, product managers, senior managers and executives responsible for the selection, implementation, and integration of software security automation tools in the organization.

ND-ISAC’s AppSec Working Group encourages feedback from security tool vendors and engineers using this evaluation framework. The technical criteria detailed in this Tool Evaluation Framework is ever-changing. While there is ongoing interest the ND-ISAC AppSec Working Group will periodically release revisions to “Software Security Automation: A Tool Evaluation Framework”.

The white paper can be found here: Software Security Automation: Security Controls Evaluation Criteria

For more information, collaboration on future releases, or if you are interested in becoming a member of ND-ISAC contact: