IBM's Secure Engineering Framework
powers-old-account 270000NC1K Visits (1004)
One of the hats I wear at IBM is one of the members of the IBM Secure Engineering team. You can read about some of our work on the IBM Secure Engineering Practices page. Our team has two main focus areas. One area is our security incident response process that IBM uses to manage the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. The other are is to foster secure engineering practices in the company. Our work efforts in this are are described in the IBM Secure Engineering Framework, which is described in this IBM Redguide Publication. I'd encourage everyone to read through that paper and think about the development practices in your organization and in particular risks to the software supply chain. It can be a sobering exercise.
I was not involved in writing the Redguide, but my team was and I'm proud to say that their work has been cited by the Enterprise Security Group. In their own words "Outlining its internal best practices for software assurance and cyber supply chain security, IBM provides a set of valuable guidelines that CISOs can customize and emulate for their own needs." Congrats to the team who wrote this book!