Most organizations use SD Elements content customization for one of two purposes:
1. Modify SD Elements knowledge base with your own corporate security standards / secure coding guides
2. Add content for areas that SD Elements doesn't cover
You can add both by using the following process.
Step 1: Search SD Elements for Existing Content
Follow these steps to add your own content in SD Elements. For the purpose of this tutorial we will use an example standard "All internal applications in the Retail & Commercial lines of business must use Enterprise Single Sign on".
1. Go to Customization->Tasks and expand the filter sidebar:
2. Determine if the task exists by searching for key words:
If no related task was found by keyword search, try clearing the search and filter by "Frequently Customized":
In our example, we decide that there is no existing task to cover our enterprise single sign on standard. However, certain authentication-related tasks don't need to appear for applications that use the enterprise single sign on solution. In that case, we can make use of a different category, "Authentication":
We can make note of the IDs or titles of tasks that we will want to modify. For the sake of the example, let's say we want to modify "T5: Minimum password standards".
Step 2: Modify project settings, if applicable
In order for you to add new content, you may need to amend the project settings. Recall the order of dependency of SD Elements content:
Project settings <-- Problems <-- Tasks <-- HowTos
For more details, see the diagram in Understand: SD Elements Content Customization.
1. Review the existing project settings to see if you already capture all the questions & answers you need. In our example, we need to know three things to see if "All internal applications in the Retail & Commercial lines of business must use Enterprise Single Sign on" applies:
- Is this application internal?
- Is the application part of the retail or commercial line of business?
- Does the application need authentication?
- Is the application web based?
Note that the last two points are implied. The standard clearly doesn't apply to applications that don't need authentication or that can't make use of the single sign on suite. It's a good idea to explicitly list out assumptions when mapping a task to SD Elements.
Looking through the project settings, we note that three of these questions & answers exist and one doesn't:
- Section: Application General -> Subsection: Application Type -> Question: Kinds of users -> Answer: Internal users only
- Section: Application General -> Subsection: Application Type -> Question: Application type -> Answer: Web application
- Section: Features & Functions -> Subsection: Authentication -> Question: Authentication of End Users -> Answer: Has direct authentication of end users
2. Add new project settings. Read Customization: Project Settings for details on how to do this.
In our example, we will create a new section "Corporate", subsection "Org Structure", and question "Line of Business" which will look like this:
Step 3: Add a new problem, if applicable
You may need a new problem (see the description of Tasks for more detail) if the existing set of problems doesn't address your task. Since requirements and test cases are related by an underlying problem, it's a good idea to add a problem if you want to be able to audit that a requirement has been followed through testing.
You can add the problem through the Customization->Problems page.
In our example, we determine the main problem we are trying to solve with single sign on is "Inefficient duplication of authentication databases".
Our custom problem should look like this:
Select a risk rating commensurate with the underlying risk of not addressing the problem. Remember, if you have too many high priority tasks then you effectively make it cost prohibitive for developers to use your content when faced with tight timelines.
We also need to create a rule that reflects when this problem is in-scope. See Understand: Customization Rules for more details on this step:
Step 4: Add a new task, if applicable
We can now add the main text of what the developers need to do to avoid the problem. We do this by adding a new task in the Customization->Tasks. In our example, we will point to the problem from the previous step, which means we don't need to add any additional rules.
You can also add How Tos in specific programming languages, if available:
Step 5: Add a test task, if applicable
In order to provide end-to-end traceability, you should provide a test case on how to verify if the requirement has actually been followed. Ideally, this should be written in a way that is easy for a non-security tester to follow. Use the same Customization->Tasks page, except this time select "Testing" as the phase. Be sure to include the same problem.
Step 6: Verify the content appears as expected in a project
If everything works as expected, you should see the content in a project when the project settings are satisfied: