Ben Whaley of AppliedTrust and I recently spent a few months putting together a security model for Rally. We analyzed each module of our Java-based stack, detailing and capturing security considerations along the way. We relied on OWASP as a standardized framework for guiding our process. The goal of the project was to conveniently describe the Rally approach to security at the application layer. Additionally, this model has proven essential for newer members of our development team.
Many companies, particularly SaaS companies, can benefit by having a published security model. Since we had never seen anything quite like this, and because we believe in the open exchange of information, we decided to share the model with the public. Ben and I presented a talk entitled “Effectively marketing security as a win for both the business and the customer” at Front Range OWASP Conference 2010 where we presented the model detailing Rally’s approach to securing our SaaS product. Feel free to take a look at our slides.
We can now arm our sales team with a straightforward (even pretty) picture that represents exactly how we handle security throughout the application. This should assist us with answering questions in those difficult RFP documents from our more security-conscious customers. Also, I truly believe that having our security approach out there for the whole world to see shows a certain level of confidence. It’s clear that we’re not just doing a “security by obscurity” approach.
The development team at Rally has been growing during the last year and it can be difficult to train developers, especially from a security standpoint. The security model serves dual purpose from a training perspective. We now have a current architecture diagram that visually depicts security at each layer of the stack.
Our hope is that other companies can use this model as an example. There was no existing reference point when we started this project, so we chose to share ours.  The software development industry generally, and next-generation web platforms specifically, can only benefit from being more security-aware as increasingly sensitive data is made available via the web.

Ben Whaley of AppliedTrust and I recently spent a few months putting together a security model for Rally. We analyzed each module of our Java-based stack, detailing and capturing security considerations along the way. We relied on OWASP as a standardized framework for guiding our process. The goal of the project was to conveniently describe the Rally approach to security at the application layer. Additionally, this model has proven essential for newer members of our development team.

Many companies, particularly SaaS companies, can benefit by having a published security model. Since we had never seen anything quite like this, and because we believe in the open exchange of information, we decided to share the model with the public. Ben and I presented a talk entitled “Effectively marketing security as a win for both the business and the customer” at Front Range OWASP Conference 2010 where we presented the model detailing Rally’s approach to securing our SaaS product. Feel free to take a look at our slides.

We can now arm our sales team with a straightforward (even pretty) picture that represents exactly how we handle security throughout the application. This should assist us with answering questions in those difficult RFP documents from our more security-conscious customers. Also, I truly believe that having our security approach out there for the whole world to see shows a certain level of confidence. It’s clear that we’re not just doing a “security by obscurity” approach.

The development team at Rally has been growing during the last year and it can be difficult to train developers, especially from a security standpoint. The security model serves dual purpose from a training perspective. We now have a current architecture diagram that visually depicts security at each layer of the stack.

Our hope is that other companies can use this model as an example. There was no existing reference point when we started this project, so we chose to share ours.  The software development industry generally, and next-generation web platforms specifically, can only benefit from being more security-aware as increasingly sensitive data is made available via the web.

Comments: [3] Comments >> Add a Comment

Tags: