ࡱ> r|}Z O { !"#$%&'()*+-./0123456789:<=>?@ABCDEGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqtuvwxyz{|}~Root Entry:tO X٦4CompObj#s 112 ΁٦ ΁٦ 212D٦D٦SummaryInformation(dDocumentSummaryInformation8 |Props12CV_iew dD٦D٦  !"$'()/1345678:<=@BCDEFGHJLMNOQSWYZ[]^`acdeiklmnopqsuvwxyz{ @512,0,6211,1000@512,0,6211,1000@@5\\cmna.net\proddfs\shared\ISG\USIT-TSAG\Projects&Roadmaps\P09-000 Application Security Program\BSI-MM-Project-base.mpp@5@5Q@ R@S@ T@U@V@W@ X@Y@ Z@[@\@@5@5@5@5  @5 @5End User՜.+,D՜.+, X`lx    Fri 5/15/09 Mon 9/7/0982d0h$0.000%0% StartFinish DurationWorkCost % Complete% Work CompleteHP\p ( < \  % CompleteCost DurationFinishStartWork% Work Complete Publisher Source License0% % Complete$0.00Cost82d Duration@)/Finish@6TStart0hWork0%% Work Complete David Kadowhttp://www.bsi-mm.com/0http://creativecommons.org/licenses/by-sa/3.0/Oh+'04 `h    ,BSI-MM-Project-base,Application Security Program Development David Kadow End User17Microsoft Project@@^$@@hЦ9q :tOMicrosoft Project 12.0MSProject.MPP12MSProject.Project.99q2dCFilter`D٦D٦CTable\D٦D٦CReport XD٦D٦CUdm  @TD٦D٦CEdl PD٦D٦CCommandBarL٦٦CMap H٦٦CVba ٦٦CGroupingD٦٦TBkndTask: ΁٦ ΁٦TBkndRsc3٦٦TBkndCalA,٦٦TBkndAssn%٦٦TBkndConsD٦D٦TBkndOutlCodeD٦D٦Props .LVarMeta-$Var2Data, FixedData+>FixedMeta*8Fixed2Data&Fixed2Meta%8Props ?LVarMeta!>FixedData;FixedMeta "9jFixed2Data#2Fixed2Meta0aProps AVarMeta$'<Var2DatasXFixedData&)FVFixedMeta;Fixed2Data(*,@Fixed2Meta\ Props VLVarMeta+.U$Var2DataTFixedData-0RXFixedMetaPLFixed2Data/1K Fixed2MetaIFProps hLVarMeta25g$Var2DatafFixedData47bFixedMeta_Fixed2Data68\Fixed2MetaXProps jVarMeta9<o$Var2Data>_`FixedData;>HFixedMetaFixed2Data=?!Fixed2Meta&6OBAJF~ˠ*mC> 00@ @HH0@(<P0 PPqh9I} C]W Nj#7#NCrLg>a| OQ)'F+YHwS\ ZFWԢyF[Z |@rKII yF[Z(#twE0#BT1E~pK(#twE0#BMpzʋN_, WZa.rMvPƁODzAoGE:;atzVGMAoGE:; ?t@+]¨f'KHMJR%I ?t@+]¨f? yHC|fPdx{   @HHti0@{ti@5@d@@e@@2d@@ʐd@@h\005qp009L@@d3@ e@@ʐe@@h\006p00w@{{{{ {P{{@{p{{{{0{`{{{{P{{{{{@{p{{{{0{`{{{ {0 {` { { { { {P { { { {@ {p { { {0 {` { { { { {P { { { {@{p{{{{0{`{{{ {P{{{{{@{p{{{{`{{{{ {P{{{{{{{ {P{{{{{@{p{{{{0{`{{{ {P{{{{{@{{{{0{`{{P{{{P{{{{{@{p{{{{0{`{{{ {P{{{{{@{p{{{{0{`{{{{ {P{{{66}JގSxˠ*mCAfJ|duݕ̓AbNSxˠ*mC%{OVZENiF4QϢJ?%Oxˠ*mCBL L45.@NSxˠ*mC`4 DK`q GPGC˰4xˠ*mCR<,CS p\) G(N=xˠ*mCAJ3?{NNQƪxˠ*mCYegmF1na N䘇Cyxˠ*mCt,n 'K;w Nj#7#NCrxˠ*mCN}NXJ,ar]6PƁODzxˠ*mC Mײ\AoGE:;xˠ*mCH4Gd%O ?t@+]¨fxˠ*mC #/Ah\S\ ZFWԢxˠ*mC|:(8D)|yF[Zxˠ*mCI7;eETCxMpzʋN_, Wxˠ*mC2R; KHUWc? yHC|fxˠ*mC:BEڞDdX;g:F#0=\txˠ*mCĬ՟O`UrFLG]}Gxˠ*mC~cJ ]:#*EMrOJxˠ*mCd փO>d+w qҽC6s߮xˠ*mCDyRF5Wa;Nt"xˠ*mC3HkKP!jBH-sxxˠ*mCBJ ®y8އ#u1bGDy+/xˠ*mC_FLI $R.Ek-_pxˠ*mC)kFKwEj+vAF;Kzxˠ*mCn#;:M{VBOY0Lxˠ*mCAU-E4Z{;1;=@]6CD]Ixˠ*mCO5OaY,NUn R"D5(h9xˠ*mC!K(/1~F`lBuLRD^>Dxˠ*mC,jO$66}JގSxˠ*mCAfJ|duݕ̓AbNSxˠ*mC%{OVZENiF4QϢJ?%Oxˠ*mCBL L45.@NSxˠ*mC`4 DK`q GPGC˰4xˠ*mCR<,CS p\) G(N=xˠ*mCAJ3?{NNQƪxˠ*mCYegmF1na N䘇Cyxˠ*mCYeH!W|z!I{4lxˠ*mC.IRqq<' JOxˠ*mC)&G1;ipBoo.xˠ*mC-xTLCɻ ,3vR;O$=Wwxˠ*mC`sMOMPoahM2Lצ&"xˠ*mC"Te~J !ho2SDf/jxˠ*mCůYY0Dzfs̟Sp!7J\؉xˠ*mCtFOP7n*$DkpCVxˠ*mC7aE3PO{xˠ*mCjكKM2Y NK8Ave1xˠ*mCH1sFcec  NN;Yxˠ*mC3GM;Mv#/4* G>]- xˠ*mC'FʚkH0g _kHGxˠ*mCLaOD6p|O!~!SDxˠ*mCyVK0L 8#Im#>,xˠ*mCmCIek4.]PBI0<xˠ*mCҮY#OC+:_Gü*/؂L/xˠ*mC}yl7ER`@0`CW{@ph&cxˠ*mCdYyMp*Wxˠ*mCA)@5nY|CNrAxˠ*mCL@Feps r[zE[xˠ*mC#E)6VvR[B ~Nxˠ*mC;prG>!![G`@ě;kxˠ*mC"AyIh6wGU&ApHqtyxˠ*mCo$.E P%#̚NI>Sxˠ*mCoIj i"a',OY4F[xˠ*mCO9. Eѳy~w^cF q@xˠ*mCÐ1LBIHzI&V8OSpxˠ*mCY:GPJ&0!G+Nlxˠ*mCbK'ֻ@2]v!I#^P%xˠ*mCb}8Cks+BoJxk Mxˠ*mC4FҜڏqqzVI voxˠ*mC<tJ q|LX›KDu64[xˠ*mC26tF0x|5tL/@ .sxˠ*mCCE{o2ԓaB%XQ$Puxˠ*mC]5qFrQdU_2mFV4xˠ*mCWH6GoJY›IlAzK+Mxˠ*mCn=W!M&&j8L@JeUOxˠ*mCeγJ?&T2Q=AAxˠ*mCw=CǣS&ɒE"㛕Ɲxˠ*mCv|AGN7%BTRG"xˠ*mCt俻?D%ZduΦJ%"xˠ*mCa!0EA|L O'#q7Ad]~=xˠ*mCqQqzBiF.H RVNO.7xˠ*mC86jB(nje3VPb3K0+xˠ*mCE=ДZ;K`^7{K{pj,v8@ݗxˠ*mCvPY@G}@ ! wbN gNUHxˠ*mC vkMKl?GPbOnjMxˠ*mCël{2BNRx*_H- xˠ*mCz bHGCT~!e1MD` Wxˠ*mCrg+!JB~ 56cADG2xˠ*mCziHCL=Z yCu^xˠ*mCb90vJʪTW飜T˃}Jښgxˠ*mCR8NCXI/aOJYM}JUBxˠ*mCw{JXnND"WT2xˠ*mCեCdV\ !F HS([xˠ*mCOqMFֲkUQl@ag0xˠ*mCp[sISE\JFdxˠ*mCVJ[(NzI xˠ*mCTxo HXN;/YG_&~#xˠ*mCj Y4A?8ˋl[Lu.rxˠ*mCK[BL`y/P0)=D=97xˠ*mC3&j%Kz0bd hQGYM=elRxˠ*mCʓE2ҳ@@.>WL ~͗xˠ*mCP2}aL ͇] BMLxˠ*mCM:M:!&N[nn`-B)iРxˠ*mC=,k{E~mԙzH2IriЙxˠ*mCelA- ڐHE11+xˠ*mCtUzOA6D%Md9xˠ*mCǘkK8FTSWm*Du8xˠ*mC8["O'e=U;N Axˠ*mC OGO\%W0ADNGV&xˠ*mC GҩF 27K&MW)=R{J' OCoxˠ*mC ` 0E tNvl3|Nl}Rxˠ*mCP"nOk KGd C`xˠ*mCu1abA'ZGw0-1A]4Vxˠ*mC CIMp瞿6aNږPKsxˠ*mCRovJ^fGh[BF&pxˠ*mCh[{NYH+(#twE0#Bxˠ*mC҄X晴@El,sTdAd"\xˠ*mC0 00 0 L0 0 h0 wV0 0800T0000 60 0 R0 0 n 0  0  0  0  0  0 P 0  0 l0 0 0 0 0 20 0 N0 0 0 0 0 .0 0 J0 0 f0 0 0 0 , 0  0 H!0 !0 d"0 "0 $0 $0 *%0 %0 F&0 &0 b'0 '0 ~(0  )0 (*0 *0 D+0 +0 `,0 ,0 |-0  .0 .0 /0 B00 00 ^10 10 z20 30 30 $40 40 @50 \60 60 x70 80 80 "90 90 >:0 :0 ?0 X@0 @0 tA0 B0 B0 C0 C0 :D0 D0 VE0 E0 rF0 G0 G0 H0 H0 I0 TJ0 J0 pK0 K0 L0 M0 M0 N0 RO0 O0 nP0 P0 Q0 S0 lU0 U0 B0 B0 C0 C0 :D0 D0 VE0 E0 rF0 G0 G0 H0 H0 8II0 TJ0 J0 pK0 K0 L0 M0 M0 6N0 N0 RO0 O0 nP0 P0 Q0 R0 R0 4S0 S0 PTTlU0 U0 '$'$'$'$@ 3$3$3$3$@3$3$3$3$@V$'$V$V$@@wkA@wkA@wkA$'$$$@ORAORAORA$'$$$@ORAORAORA3$'9$3$3$@OBAOBAOBA3$'N$3$3$@ObAObAObA 3$3$3$3$@ '$'$'$'$@ 3$3$3$3$@ 3$3$3$3$@ 3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$'3$3$3$@LALALA3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@ 3$3$3$3$@!!3$3$3$3$@""3$3$3$3$@##3$3$3$3$@$$3$'3$3$3$@LALALA%%3$'3$3$3$@LALALA&&3$'3$3$3$@LALALA''3$'3$3$3$@LALALA((3$'3$3$3$@LALALA))3$'3$3$3$@LALALA**3$'3$3$3$@LALALA++3$'3$3$3$@LALALA,,3$'3$3$3$@LALALA--3$'3$3$3$@LALALA..3$'3$3$3$@LALALA//3$3$3$3$@003$3$3$3$@113$3$3$3$@223$3$3$3$@333$3$3$3$@443$3$3$3$@553$3$3$3$@663$3$3$3$@773$3$3$3$@883$3$3$3$@993$'3$3$3$@LALALA::3$3$3$3$@;;3$3$3$3$@<<3$3$3$3$@==3$3$3$3$@>>3$3$3$3$@??3$3$3$3$@@@3$3$3$3$@AA3$'3$3$3$@LALALABB3$3$3$3$@CC3$3$3$3$@DD3$3$3$3$@EE3$3$3$3$@FF3$3$3$3$@GG3$3$3$3$@HH3$3$3$3$@II3$3$3$3$@JJ3$3$3$3$@KK3$3$3$3$@LL3$'3$3$3$@LALALAMM3$3$3$3$@NN3$3$3$3$@OO3$3$3$3$@PP3$3$3$3$@QQ3$3$3$3$@RR3$3$3$3$@SS3$3$3$3$@TT3$3$3$3$@UU3$3$3$3$@VV3$'3$3$3$@LALALAWW3$3$3$3$@XX3$3$3$3$@YY3$3$3$3$@ZZ3$3$3$3$@[[3$3$3$3$@\\3$3$3$3$@]]3$3$3$3$@^^3$3$3$3$@__3$3$3$3$@``3$3$3$3$@aa3$3$3$3$@bb3$'3$3$3$@LALALAcc3$3$3$3$@dd3$3$3$3$@ee3$3$3$3$@ff3$3$3$3$@gg3$3$3$3$@hh3$3$3$3$@ii3$3$3$3$@jj3$3$3$3$@kk3$3$3$3$@ll3$'3$3$3$@LALALAmm3$'3$3$3$@LALALAnn3$'3$3$3$@LALALAoo3$'3$3$3$@LALALApp3$'3$3$3$@LALALAqq3$'3$3$3$@LALALArr3$'3$3$3$@LALALAss3$'3$3$3$@LALALAtt3$3$3$3$@uu3$3$3$3$@vv3$3$3$3$@ww3$3$3$3$@xx3$3$3$3$@yy3$3$3$3$@zz3$3$3$3$@{{3$3$3$3$@||3$3$3$3$@}}3$3$3$3$@~~3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$'3$3$3$@LALALA3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$3$3$3$@3$'3$3$3$@LALALA3$'3$3$3$@LALALA3$'3$3$3$@LALALA3$3$3$3$@O$'U$O$O$@OBAOBAOBA3$3$3$3$@*0Ă@*#3$H ,eSccrualks <e*0Ă@*#3$H ,eSccrualtory <e*0Ă@*#3$H ,eSz"3$H ,uSAlign@ <u*0Ă@*"3$H ,uA@wkASAlign@ 0@ 1@ <u*0Ă@*"3$H ,uAORASAlign<u*0Ă@*"3$H ,uAORASAlign<u*0Ă@*#3$H ,raAOBAS<*0Ă@*#3$H ,raAObA Solled Up Criti<l*0Ă@*#3$H ,raSk Progress*Ro< *0Ă@*#3$H ,eSccrualture <e*0Ă@*#3$H ,eSccrualks <e*0Ă@*#3$H ,eSccrualtory <e*0Ă@*#3$H ,eSccruale ts<e*0Ă@*#3$H ,SSAl,/@ 0@ 1@ <@ *0Ă@*#3$H ,SCj<t*0Ă@*#3$H ,SGOVERNANCE<*0Ă@*#3$H ,mSeatures < *0Ă@*#3$H ,cSective <a*0Ă@*#3$H , S stories<a*0Ă@*#3$H ,aStacks <t*0Ă@*#3$H ,sS providers <*0Ă@*#3$H ,S<*0Ă@*#3$H ,ALAS<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<w*0Ă@*#3$H ,S@ <"*0Ă@*#3$H ,S+@ ,@ <*0Ă@*#3$H ,S7$@ $<*0Ă@*#3$H ,S @ l<@ *0Ă@*#3$H ,S  @ <*0Ă@*#3$H ,S#@ $@ <*0Ă@*#3$H ,)SW+@ ,@ <*0Ă@*#3$H ,Sh<*0Ă@*#3$H ,$S<*0Ă@*#3$H ,S<@ *0Ă@*#3$H ,tALASSplitTask Pr<B*0Ă@*#3$H ,rALASup By Summary< *0Ă@*#3$H ,aALASt*Rolled Up T<*0Ă@*#3$H ,ALAS8<*0Ă@*#3$H ,ALAS<*0Ă@*#3$H ,ALASF\<*0Ă@*#3$H ,ALASJ<*0Ă@*#3$H ,ALAS<*0Ă@*#3$H ,ALASS<*0Ă@*#3$H ,ALASW <*0Ă@*#3$H ,ALAS<*0Ă@*#3$H ,S@@oj<a*0Ă@*#3$H ,S<*0Ă@*#3$H ,@S@<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S@@<*0Ă@*#3$H ,ALAS!@"@gb<i*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S @ (h<*0Ă@*#3$H ,@ S @ H<*0Ă@*#3$H ,S @ (<*0Ă@*#3$H ,S @# v <*0Ă@*#3$H ,S @ <h*0Ă@*#3$H ,ALAS @'<@'*0Ă@*#3$H ,S @ (<*0Ă@*#3$H ,S(t @&<*0Ă@*#3$H ,S @&(<*0Ă@*#3$H ,S<*0Ă@*#3$H ,@)S  <*0Ă@*#3$H ,Shl @ (<*0Ă@*#3$H ,S  <*0Ă@*#3$H ,S @<*0Ă@*#3$H ,S@-<*0Ă@*#3$H ,S<*0Ă@*#3$H ,ALAS<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,ALAS<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,ALAS<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,ALAS<*0Ă@*#3$H ,ALAS<*0Ă@*#3$H ,ALAS<*0Ă@*#3$H ,ALAS<*0Ă@*#3$H ,ALAS<*0Ă@*#3$H ,ALAS<*0Ă@*#3$H ,ALAS<*0Ă@*#3$H ,ALAS<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,raS<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,S<*0Ă@*#3$H ,raSendors <m*0Ă@*$3$H ,lSNumRowsj<S*0Ă@*$3$H ,lStoring eds < *0Ă@*$3$H ,eSysis results< *0Ă@*$3$H ,aSperspective <c*0Ă@*$3$H ,sS tools <i*0Ă@*$3$H ,rSrchitecture <a*0Ă@*$3$H ,aSion-wide <r*0Ă@*$3$H , ALASeview data <s*0Ă@*$3$H ,cSendors cks<m*0Ă@*$3$H , Srchitecture <c*0Ă@*$3$H ,aSen attacks < *0Ă@*$3$H ,aSn's history <a*0Ă@*$3$H ,tSurity events<s*0Ă@*$3$H ,/Snetwork e <n*0Ă@*$3$H ,aALASawareness <y*0Ă@*$3$H ,sALAS into dev <n*0Ă@*$3$H ,lALASeality sion <n*0Ă@*,$3$H ,raSeatures 0@ 1@ <u*0Ă@*8$0  S8$0F  S8$0m S8$0\n  S8$0m S8$0\m S'3$H ,lAOBASe criteria:<n*0Ă@*((3$H ,uSAlignCj<u*0Ă@*1@P,z@P,@Q -1@Q-z@Ql-@R-1@R-z@R.@SH.1@S@.z@S.@T.1@T.z@T(/@Up/1@Uh/z@U/@W01@W0z@W0@X,11@X$1z@Xx1@Y11@Y1z@Y 2@ZT21@ZkX1@z@T@1@$V2@z@@01@`V2@(z@|@1@V2@z@@X1@V2@Pz@@1@W2@z@8@ 1@ PW2@ z@ `@ 1@ z@ @d1@\z@@1@z@D@1@z@@ 1@z@l@1@z@ @H 1@@ z@ @ 1@ z@( @p 1@h z@ @ 1@ z@P @, 1@$ z@x @ 1@ z@ @T 1@L z@ @ 1@ z@4@|1@tz@@1@z@\@1@z@@81@0z@@ 1@ z@ @!`1@!Xz@!@"1@"z@"@@#1@#z@#@/x1@/pz@/@0 1@0z@0X@11@1z@1@241@2,z@2@31@3z@3@4\1@4Tz@4@51@5z@5<@61@6|z@6@71@7z@7d@81@8z@8@:1@:z@: @;h 1@;` z@; @< 1@< z@<H!@=!1@=!z@=!@>$"1@>"z@>p"@?"1@?"z@?#@@L#1@@D#z@@#@Bt$1@Bl$z@B$@C%1@C%z@CT%@D%1@D%z@D%@E0&1@E(&z@E|&@F&1@F&z@F'@GX'1@GP'z@G'@H'1@H'z@H8(@I(1@Ix(z@I(@J)1@J )z@J`)@K)1@K)z@K)@M*1@M*z@M+@Nd+1@N\+z@N+@O+1@O+z@OD,@P,1@P,z@P,@Q -1@Q-z@Ql-@R-1@R-z@R.@SH.1@S@.z@S.@T.1@T.z@T(/@Up/1@Uh/z@U/@W01@W0z@W0@X,11@X$1z@Xx1@Y11@Y1z@Y 2@ZT21@ZL2z@Z2@[21@[2z@[43@\|31@\t3z@\3@]41@]4z@]\4@^41@^4z@^4@_851@_05z@_5@`51@`5z@`6@a`61@aX6z@a6@c71@c7z@c7@d81@d8z@dh8@e81@e8z@e8@fD91@f<9z@f9@g91@g9z@g$:@hl:1@hd:z@h:@i;1@i:z@iL;@j;1@j;z@j;@k(<1@k <z@kt<@t\A1@tTAz@tA@uA1@uAz@utL$Z2h @vN&\4jP(^6lDzR*`8n T!(!! *`8n F |   !T!(!! PO{F@g:F#0=\t@ NK8Ave1F@ 6">PO{3$ NN;YG@ 6">PO{3$#/4* G>]- G@ 6">PO{3$ _kHGH@ 6">PO{3$~!SDPO{3$DJ Dc>I@ 6">PO{3$#Im#>,I@ 6">PO{hwkL`R3["?@ Nj#7#NCr@hwkL`R3["3$Lg>a|@hwkL`R3["@R߼_G>@Lg>a|PƁODz@MpzʋN_, W'U$AoGE:;@MpzʋN_, W('$ ?t@+]¨f@MpzʋN_, W('$S\ ZFWԢ@R߼_G>3$yF[Z@R߼_G>3$MpzʋN_, W@R߼_G>? yHC|f @MpzʋN_, W'$g:F#0=\t"@hwkL`R3["@UrFLG]}G$@g:F#0=\t@:#*EMrOJ&@RMyPR3$w qҽC6s߮(@RMyPR3$RF5Wa;Nt"*@RMyPR3$jBH-sx,@RMyPR3$#u1bGDy+/.@RMyPR3$R.Ek-_p0@RMyPR3$j+vAF;Kz1@RMyPR3$BOY0L2@RMyPR3$;=@]6CD]I3@RMyPR3$NUn R"D5(h94@RMyPR3$LRD^>D5@g:F#0=\t@6}JގS6@LRD^>D3$̓AbNS7@LRD^>D3$QϢJ?%O8@LRD^>D3$.@NS9@LRD^>D3$GPGC˰4:@LRD^>D3$ G(N=;@LRD^>D3$X#BX!m<@LRD^>D3$l>?{NNQƪ=@LRD^>D3$a N䘇Cy>@LRD^>D3$z!I{4l?@LRD^>D3$' JO@@LRD^>D3$;ipBoo.@@LRD^>D3$vR;O$=WwA@g:F#0=\t3$M2Lצ&"A@g:F#0=\t3$o2SDf/jB@g:F#0=\t3$p!7J\؉B@g:F#0=\t3$n*$DkpCVC@g:F#0=\t3$0-LN|ws_&C@g:F#0=\t3$Q-C 9fD@g:F#0=\t3$f[ $M%, D@g:F#0=\t3$^CvkMS=rfE@g:F#0=\t3$PO{F@g:F#0=\t@ NK8Ave1F@ 6">PO{3$ NN;YG@ 6">PO{3$#/4* G>]- G@ 6">PO{3$ _kHGH@ 6">PO{3$~!SDPO{3$DJ Dc>I@ 6">PO{3$#Im#>,I@ 6">PO{3$k4.]PBI0<J@ 6">PO{3$*/؂L/J@ 6">PO{3$CW{@ph&cK@ 6">PO{3$\CfK@g:F#0=\t@R3Ko hL@\Cf3$ɖ|KI5'( L@\Cf3$_H>*WM@\Cf3$nY|CNrAM@\Cf3$[zE[N@\Cf3$vR[B ~NN@\Cf3$[G`@ě;kO@\Cf3$GU&ApHqtyO@g:F#0=\t@%#̚NI>SP@GU&ApHqty3$',OY4F[@P@GU&ApHqty3$y~w^cF q@P@GU&ApHqty3$I&V8OSpP@GU&ApHqty3$G+NlQ@GU&ApHqty3$v!I#^P%@Q@GU&ApHqty3$BoJxk<Q@GU&ApHqty3$ MQ@GU&ApHqty3$qqzVI voR@GU&ApHqty3$LX›KDu64[@R@GU&ApHqty3$|5tL/@ .sR@g:F#0=\t@aB%XQ$PuR@|5tL/@ .s3$2mFV4S@|5tL/@ .s3$IlAzK+M@S@|5tL/@ .s3$8L@JeUOS@|5tL/@ .s3$Q=AAV@KZD4{L,3$S&ɒE"㛕Ɲ@V@KZD4{L,3$TRG"V@KZD4{L,3$uΦJ%"V@KZD4{L,3$'#q7Ad]~=W@KZD4{L,3$ RVNO.7@W@KZD4{L,3$Pb3K0+W@KZD4{L,3$[_J9JX}Q W@KZD4{L,3$ANDڀ.X@g:F#0=\t@!&BJL҅@X@ANDڀ.3$}qKJw|X@ANDڀ.3$$ö{L^)\ĿX@ANDڀ.3$(UCAG/IIY@ANDڀ.3$4ͦNP#Ho&.P@Y@ANDڀ.3$7JdAWU <Y@ANDڀ.3$v8@ݗY@ANDڀ.3$! wbN gNUHZ@ANDڀ.3$GPbOnjM@Z@ANDڀ.3$_H- Z@g:F#0=\t@!e1MD` W88Z@g:F#0=\t@6cADG2[@g:F#0=\t3$ yCu^@[@g:F#0=\t3$T˃}Jښg[@g:F#0=\t3$JYM}JUB[@g:F#0=\t3$nND"WT2\@g:F#0=\t3$ !F HS([@\@g:F#0=\t@kUQl@ag0\@ !F HS([3$\JFd\@ !F HS([3$[(NzI ]@ !F HS([3$eM.-g@]@ !F HS([3$izǗLG<]@ !F HS([3$WϡI[v<8,]@ !F HS([3$HB'U8iI$I$$@UrFLG]}G3$/YG_&~#$I$I$@Lg>a|3$ˋl[Lu.r۶m۶m$@UrFLG]}G3$0)=D=97$I$I$@UrFLG]}G3$ hQGYM=elRm۶m۶$@UrFLG]}G3$@.>WL ~͗m۶m$@UrFLG]}G3$ ͇] BML$@UrFLG]}G3$n`-B)iРH$I$%@UrFLG]}G3$zH2IriЙ$I$I%@UrFLG]}G3$ڐHE11+ڶm۶m%@UrFLG]}G3$D%Md9m۶m%@RMyPR3$SWm*Du898Z@_H- 3$U;N ArqZ@_H- 3$%W0ADNGV&Z@_H- 3$K&MW)<88Z@_H- 3$8fCD@}|"SqǑZ@_H- 3$M՜NO8VUUUUZ@_H- 3$lO4J3#!8Z@_H- 3$FZ^jOɛQ'`qqZ@g:F#0=\t3$NZGGR+\vvZ@!e1MD` W3$/ N('N$,sTdAd"\ @hwkL`R3["3$H 0C8c@CHCPCXC`ChCpCx C c # # ################# #( #0!#8"#@##H$#/#0#1#2#3#4#5#6#7#8#9#:#<#=#>#?# @#(A#0B#8C#@D#HE#PF#XG#`H#hI#pJ#xK#L#M#N#O#P#Q#R#S#T#U#V#W#X#Y#Z#[#]#^#_#`# a#(b#0c#8d#@e#Hf#Pg#Xh#`i#hj#pk#xl#m#n#o#p#v#w#x#y#z#{#|#~#### #(#0#8#@#H#P#x#########ȓ#Д#ؕ#####(C0@######Cȓ#Д#ؕ####CCC# (C0@#,,'V$'$#3$      !"#$%&'()*+,-./0123456789:;<=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnpqrstuvwxyNE'$3$53$'$"3$3$'$3$3$'3$3$"3$ 3$3$'$3$'3$'$"3$3$'$'$3$'3$'$"3$3$'$'$V$ 22'V$'$"3$ V$'$'U$ '$$ '$'$"3$ $'$'$ '$$ '$'$"3$ $'$'$'9$3$]]'3$'9$#3$ 3$'9$3$'N$3$ww'3$'N$#3$ 3$'N$3$ '$V$,,'V$'$#3$ V$'$ '$'$ ''$'$#3$ '$'$'$ 3$'$'3$3$#3$ 3$'$ 3$'$ '3$3$#3$ 3$'$ 3$'$'3$3$#3$ 3$'$3$'$'3$3$#3$ 3$'$3$'$'3$3$#3$ 3$'$ 3$'$'3$3$#3$ 3$'$!3$'$'3$3$#3$ 3$'$"3$'$'3$3$#3$ 3$'$#3$'$'3$3$#3$ 3$'$$3$'$'3$3$#3$ 3$'$%3$'$'3$3$#3$ 3$'$&3$'$'3$3$#3$ 3$'$'3$'$ '3$3$#3$3$'$(3$'$'3$3$#3$ 3$'$)3$'$'3$3$#3$ 3$'$*3$'$'3$3$#3$ 3$'$+3$'$'3$3$#3$ 3$'$,3$'$'3$3$#3$ 3$'$-3$'$'3$3$#3$ 3$'$.3$'$'3$3$#3$ 3$'$/3$'$'3$3$#3$ 3$'$ 03$'$'3$3$#3$ 3$'$!13$'$'3$3$#3$ 3$'$"23$'$'3$3$#3$ 3$'$#33$'$'3$3$#3$ 3$'$$1'3$3$ ''3$'3$#3$3$'3$%2'3$3$ ''3$'3$#3$3$'3$&3'3$3$ ''3$'3$#3$3$'3$'4'3$3$ ''3$'3$#3$3$'3$(5'3$3$ ''3$'3$#3$3$'3$)6'3$3$ ''3$'3$#3$3$'3$*7'3$3$ ''3$'3$#3$3$'3$+8'3$3$ ''3$'3$#3$3$'3$,9'3$3$ ''3$'3$#3$3$'3$-:'3$3$ ''3$'3$#3$3$'3$.43$'$ '3$3$#3$3$'$/53$'$.'3$3$#3$ 3$'$063$'$.'3$3$#3$ 3$'$173$'$.'3$3$#3$ 3$'$283$'$.'3$3$#3$ 3$'$393$'$.'3$3$#3$ 3$'$4:3$'$.'3$3$#3$ 3$'$5;3$'$.'3$3$#3$ 3$'$6<3$'$.'3$3$#3$ 3$'$7=3$'$.'3$3$#3$ 3$'$8>3$'$.'3$3$#3$ 3$'$9?3$'$ '3$3$#3$3$'$:@3$'$9'3$3$#3$ 3$'$;A3$'$9'3$3$#3$ 3$'$<B3$'$9'3$3$#3$ 3$'$=C3$'$9'3$3$#3$ 3$'$>D3$'$9'3$3$#3$ 3$'$?E3$'$9'3$3$#3$ 3$'$@F3$'$9'3$3$#3$ 3$'$AG3$'$ '3$3$#3$3$'$BH3$'$A'3$3$#3$ 3$'$CI3$'$A'3$3$#3$ 3$'$DJ3$'$A'3$3$#3$ 3$'$EK3$'$A'3$3$#3$ 3$'$FL3$'$A'3$3$#3$ 3$'$GM3$'$A'3$3$#3$ 3$'$HN3$'$A'3$3$#3$ 3$'$IO3$'$A'3$3$#3$ 3$'$JP3$'$A'3$3$#3$ 3$'$KQ3$'$A'3$3$#3$ 3$'$LR3$'$ '3$3$#3$3$'$MS3$'$L'3$3$#3$ 3$'$NT3$'$L'3$3$#3$ 3$'$OU3$'$L'3$3$#3$ 3$'$PV3$'$L'3$3$#3$ 3$'$QW3$'$L'3$3$#3$ 3$'$RX3$'$L'3$3$#3$ 3$'$SY3$'$L'3$3$#3$ 3$'$TZ3$'$L'3$3$#3$ 3$'$U[3$'$L'3$3$#3$ 3$'$V\3$'$ '3$3$#3$3$'$W]3$'$V'3$3$#3$ 3$'$X^3$'$V'3$3$#3$ 3$'$Y_3$'$V'3$3$#3$ 3$'$Z`3$'$V'3$3$#3$ 3$'$[a3$'$V'3$3$#3$ 3$'$\b3$'$V'3$3$#3$ 3$'$]c3$'$V'3$3$#3$ 3$'$^d3$'$V'3$3$#3$ 3$'$_e3$'$V'3$3$#3$ 3$'$`f3$'$V'3$3$#3$ 3$'$ag3$'$V'3$3$#3$ 3$'$bh3$'$ '3$3$#3$3$'$ci3$'$b'3$3$#3$ 3$'$dj3$'$b'3$3$#3$ 3$'$ek3$'$b'3$3$#3$ 3$'$fl3$'$b'3$3$#3$ 3$'$gm3$'$b'3$3$#3$ 3$'$hn3$'$b'3$3$#3$ 3$'$io3$'$b'3$3$#3$ 3$'$jp3$'$b'3$3$#3$ 3$'$kq3$'$b'3$3$#3$ 3$'$lr3$'$ '3$3$#3$3$'$mz3$'$ '3$3$#3$3$'$n'3$3$ ''3$'3$#3$3$'3$o'3$3$ ''3$'3$#3$3$'3$p'3$3$ ''3$'3$#3$3$'3$q'3$3$ ''3$'3$#3$3$'3$r'3$3$ ''3$'3$#3$3$'3$s3$'$ '3$3$#3$3$'$t3$'$s'3$3$#3$ 3$'$u3$'$s'3$3$#3$ 3$'$v3$'$s'3$3$#3$ 3$'$w3$'$s'3$3$#3$ 3$'$x3$'$s'3$3$#3$ 3$'$y3$'$s'3$3$#3$ 3$'$z3$'$ '3$3$#3$ 3$'${3$'$ '3$3$#3$ 3$'$|3$'$ '3$3$#3$ 3$'$}3$'$ '3$3$#3$ 3$'$~3$'$ '3$3$#3$ 3$'$3$'$ '3$3$#3$ 3$'$3$'$ '3$3$#3$ 3$'$3$'$ '3$3$#3$ 3$'$3$'$ '3$3$#3$ 3$'$3$'$ '3$3$#3$ 3$'$3$'$ '3$3$#3$ 3$'$l۶m۶%@m۶m%@3$'$ '3$3$#3$ 3$'$3$'$'3$3$#3$ 3$'$s3$'$l'3$3$$3$ 3$'$t3$'$l'3$3$$3$ 3$'$u3$'$l'3$3$$3$ 3$'$v3$'$l'3$3$$3$ 3$'$w3$'$l'3$3$$3$ 3$'$x3$'$l'3$3$$3$ 3$'$y3$'$l'3$3$$3$ 3$'$w'3$3$ ''3$'3$$3$3$'3${3$'$m'3$3$$3$ 3$'$|3$'$m'3$3$$3$ 3$'$}3$'$m'3$3$$3$ 3$'$~3$'$m'3$3$$3$ 3$'$3$'$m'3$3$$3$ 3$'$3$'$m'3$3$$3$ 3$'$~'3$3$ ''3$'3$$3$3$'3$'3$3$ ''3$'3$$3$3$'3$'3$3$ ''3$'3$$3$3$'3$3$'$s PQR '3$3$,$3$ 3$'$'U$O$]]'O$'U$'3$ O$'U$'N$ !@ 3$'$'3$3$((3$ 3$'$ATTACK MODELSINTELLIGENCEATTACK MODELSINTELLIGENCE:SECURITY FEATURES AND DESIGNINTELLIGENCE:SECURITY FEATURES AND DESIGNINTELLIGENCE:SECURITY FEATURES AND DESIGNINTELLIGENCE:engage SSG with arcBSI-MM-Project Project StartPhase 1 'Governance 'Intelligence"SSDL TouchpointsDeployment2identify PII obligationsCP 1.2dknow all regulatory pressures and unify approach CP 1.1create policyCP 1.3 "BSI-MM Task Pool GovernanceIntelligence"SSDL TouchpointsDeployment,COMPLIANCE AND POLICYGOVERNANCE smlbV*STRATEGY AND METRICSGOVERNANCE*STRATEGY AND METRICSGOVERNANCEcreate policyETRICSGOVERNANCE*STRATEGY AND METRICSGOVERNANCE*STRATEGY AND METRICSGOVERNANCE*STRATEGY AND METRICSGOVERNANCE*STRATEGY AND METRICSGOVERNANCE*STRATEGY AND METRICSGOVERNANCE*STRATEGY AND METRICSGOVERNANCE*STRATEGY AND METRICSGOVERNANCE*STRATEGY AND METRICSGOVERNANCETRAININGE AND POLICYGOVERNANCE,COMPLIANCE AND POLICYGOVERNANCE,COMPLIANCE AND POLICYGOVERNANCE,COMPLIANCE AND POLICYGOVERNANCE,COMPLIANCE AND POLICYGOVERNANCE,COMPLIANCE AND POLICYGOVERNANCE,COMPLIANCE AND POLICYGOVERNANCE,COMPLIANCE AND POLICYGOVERNANCE,COMPLIANCE AND POLICYGOVERNANCE,COMPLIANCE AND POLICYGOVERNANCE,COMPLIANCE AND POLICYGOVERNANCETRAININGGOVERNANCETRAININGGOVERNANCETRAININGGOVERNANCETRAININGGOVERNANCETRAININGGOVERNANCETRAININGGOVERNANCETRAININGGOVERNANCETRAININGGOVERNANCETRAININGGOVERNANCETRAININGGOVERNANCETRAININGGOVERNANCETRAININGGOVERNANCEATTACK MODELSINTELLIGENCEATTACK MODELSINTELLIGENCEATTACK MODELSINTELLIGENCEATTACK MODELSINTELLIGENCEATTACK MODELSINTELLIGENCEATTACK MODELSINTELLIGENCEATTACK MODELSINTELLIGENCEATTACK MODELSINTELLIGENCEATTACK MODELSINTELLIGENCEATTACK MODELSINTELLIGENCE:SECURITY FEATURES AND DESIGNINTELLIGENCE:SECURITY FEATURES AND DESIGNINTELLIGENCE:SECURITY FEATURES AND DESIGNINTELLIGENCE:engage SSG with architectureINTELLIGENCE:SECURITY FEATURES AND DESIGNINTELLIGENCE:SECURITY FEATURES AND DESIGNINTELLIGENCE:SECURITY FEATURES AND DESIGNINTELLIGENCE6STANDARDS AND REQUIREMENTSINTELLIGENCE6STANDARDS AND REQUIREMENTSINTELLIGENCE6STANDARDS AND REQUIREMENTSINTELLIGENCE6STANDARDS AND REQUIREMENTSINTELLIGENCE.create security portalNTSINTELLIGENCE6STANDARDS AND REQUIREMENTSINTELLIGENCE6STANDARDS AND REQUIREMENTSINTELLIGENCE6STANDARDS AND REQUIREMENTSINTELLIGENCE6STANDARDS AND REQUIREMENTSINTELLIGENCE6STANDARDS AND REQUIREMENTSINTELLIGENCE,ARCHITECTURE ANALYSISINTELLIGENCENTS,ARCHITECTURE ANALYSISINTELLIGENCENTS,ARCHITECTURE ANALYSISINTELLIGENCENTS,ARCHITECTURE ANALYSIS"SSDL TOUCHPOINTS,ARCHITECTURE ANALYSIS"SSDL TOUCHPOINTS,ARCHITECTURE ANALYSIS"SSDL TOUCHPOINTS,ARCHITECTURE ANALYSIS"SSDL TOUCHPOINTS,ARCHITECTURE ANALYSIS"SSDL TOUCHPOINTS,ARCHITECTURE ANALYSIS"SSDL TOUCHPOINTSCODE REVIEW"SSDL TOUCHPOINTSCODE REVIEW"SSDL TOUCHPOINTSCODE REVIEW"SSDL TOUCHPOINTSCODE REVIEW"SSDL TOUCHPOINTSCODE REVIEW"SSDL TOUCHPOINTSCODE REVIEW"SSDL TOUCHPOINTSCODE REVIEW"SSDL TOUCHPOINTSCODE REVIEW"SSDL TOUCHPOINTSCODE REVIEW"SSDL TOUCHPOINTSCODE REVIEW"SSDL TOUCHPOINTSCODE REVIEW"SSDL TOUCHPOINTS"SECURITY TESTING"SSDL TOUCHPOINTS"SECURITY TESTING"SSDL TOUCHPOINTS"SECURITY TESTING"SSDL TOUCHPOINTS build a factory"SSDL TOUCHPOINTS"SECURITY TESTING"SSDL TOUCHPOINTS"SECURITY TESTING"SSDL TOUCHPOINTS"SECURITY TESTING"SSDL TOUCHPOINTS"SECURITY TESTING"SSDL TOUCHPOINTS"SECURITY TESTING"SSDL TOUCHPOINTS(PENETRATION TESTINGDEPLOYMENT(PENETRATION TESTINGDEPLOYMENT(PENETRATION TESTINGDEPLOYMENT(PENETRATION TESTINGDEPLOYMENT(PENETRATION TESTINGDEPLOYMENT(PENETRATION TESTINGDEPLOYMENT(PENETRATION TESTINGDEPLOYMENT*SOFTWARE ENVIRONMENTDEPLOYMENT*SOFTWARE ENVIRONMENTDEPLOYMENT*SOFTWARE ENVIRONMENTDEPLOYMENT*SOFTWARE ENVIRONMENTDEPLOYMENT*SOFTWARE ENVIRONMENTDEPLOYMENT*SOFTWARE ENVIRONMENTDEPLOYMENTlCONFIGURATION MANAGEMENT AND VULNERABILITY MANAGEMENTDEPLOYMENTRcreate/interface with incident response Y MANAGEMENTDEPLOYMENTlCONFIGURATION MANAGEMENT AND VULNERABILITY MANAGEMENTDEPLOYMENTDhave emergency codebase response RABILITY MANAGEMENTDEPLOYMENTlCONFIGURATION MANAGEMENT AND VULNERABILITY MANAGEMENTDEPLOYMENTJdevelop operations inventory of appsILITY MANAGEMENTDEPLOYMENTlCONFIGURATION MANAGEMENT AND VULNERABILITY MANAGEMENTDEPLOYMENT publish process (roles, responsibilities, plan), evolve as necessary SM.1.1GOVERNANCETcreate evangelism role/internal marketingSM.1.2GOVERNANCE&educate executivesSM.1.3GOVERNANCEhidentify gate locations, gather necessary artifactsSM.1.4GOVERNANCEpidentify metrics and drive initiative budgets with themSM.1.5GOVERNANCEbpublish data about software security internally SM.2.1GOVERNANCEbenforce gates with measures and track exceptionsSM.2.2GOVERNANCE^create or grow social network/satellite systemSM.2.3GOVERNANCE4require security sign-offSM.2.4GOVERNANCEnuse internal tracking application with portfolio view SM.3.1GOVERNANCE>run external marketing programSM.3.2GOVERNANCE2identify PII obligationsCP.1.2CP.1.3Tidentify PII data in systems (inventory) CP.2.1lrequire security sign-off for compliance-related riskCP.2.2Pimplement/track controls for complianceCP.2.3xpaper all vendor contracts with SLAs compatible with policyCP.2.4|promote executive awareness of compliance/privacy obligationsCP.2.58create regulator eye-candy CP.3.12impose policy on vendorsCP.3.2drive feedback from SSDL data back to policy (T: strategy/metrics)CP.3.3,COMPLIANCE AND POLICY  dknow all regulatory pressures and unify approach CP.1.1 #"! 8provide awareness training Rinclude security resources in onboarding6establish SSG office hoursFidentify satellite during trainingoffer role-specific advanced curriculum (tools, technology stacks, bug parade) `create/use material specific to company history2require annual refresherHoffer on-demand individual training>hold satellite training/eventszreward progression through curriculum (certification or HR) dprovide training for vendors or outsource workersNhost external software security eventsGOVERNANCEGOVERNANCE T.1.1 T.1.2 T.1.3 T.1.4 T.2.1 T.2.2 T.2.3 T.2.4 T.2.5 T.3.1 T.3.2 T.3.3 87654dbuild and maintain a top N possible attacks list AM.1.1`create data classification scheme and inventoryAM.1.2:identify potential attackersAM.1.3Fcollect and publish attack storiesAM.1.4build attack patterns and abuse cases tied to potential attackers AM.2.1Vcreate technology-specific attack patternsAM.2.26gather attack intelligenceAM.2.3vbuild internal forum to discuss attacks (T: standards/req)AM.2.4have a science team that develops new attack methods arm testers and auditors AM.3.1vcreate and use automation to do what the attackers will doAM.3.2@?>=<build/publish security features (authentication, role management, key management, audit/log, crypto, protocols) SFD.1.1SFD.1.2build secure-by-design middleware frameworks/common libraries (T: code review) SFD.2.2rcreate SSG capability to solve difficult design problemsSFD.2.3tfind/publish mature design patterns from the organizationSFD.2.3form review board or central committee to approve and maintain secure design SFD.3.3require use of approved security features and frameworks (T: AA)SFD.3.1 KJIHGhcreate security standards (T: sec features/design) SR.1.1SR.1.2btranslate compliance constraints to requirementsSR.1.3>create secure coding standardsSR.1.4Dcommunicate standards to vendors SR.2.1@create a standards review boardSR.2.2Ncreate standards for technology stacksSR.2.3:identify open source in appsSR.2.4vgain buy-in from legal department and standardize approachSR.2.54control open source risk SR.3.1 UTSRQBperform security feature review AA.1.1bperform design review for high-risk applicationsAA.1.2:have SSG lead review effortsAA.1.3use risk questionnaire to rank apps standardize approach using attackAA.1.4.define/use AA process AA.2.1vstandardize architectural descriptions (include data flow)AA.2.2Rmake SSG available as AA resource/mentorAA.2.3\have software architects lead review efforts AA.3.1drive analysis results into standard architectural patterns (T: sec features/design)AA.3.2 a`_^]xcreate top N bugs list (real data preferred) (T: training) >have SSG perform ad hoc reviewpestablish coding labs or office hours focused on review\use automated tools along with manual review 2enforce coding standardsXmake code review mandatory for all projectsuse centralized reporting (close knowledge loop, drive training) (T: strategy/metrics)(assign tool mentorsRuse automated tools with tailored rules build capability for eradicating specific bugs from entire codebaseCR.1.1CR.1.2CR.1.3CR.2.1CR.2.2CR.2.3CR.2.4CR.2.5CR.3.1CR.3.2CR.3.3 kjihgtensure QA supports edge/boundary value condition testing ST.1.1>share security results with QAST.1.2integrate black box security tools into the QA process (including protocol fuzzing) ST.2.1xallow declarative security/security features to drive testsST.2.2"SSDL TOUCHPOINTS|begin to build/apply adversarial security tests (abuse cases)ST.2.3"SSDL TOUCHPOINTSRinclude security tests in QA automation ST.3.1"SSDL TOUCHPOINTShperform fuzz testing customized to application APIsST.3.2"SSDL TOUCHPOINTSNdrive tests with risk analysis resultsST.3.3"SSDL TOUCHPOINTS6leverage coverage analysisST.3.4"SSDL TOUCHPOINTSVuse external pen testers to find problems PT.1.1DEPLOYMENTfeed results to defect management/mitigation (T: config/vuln mgmt)PT.1.2DEPLOYMENTDuse pen testing tools internally PT.2.1DEPLOYMENTprovide pen testers with all available information (T: AA & code review)PT.2.2DEPLOYMENT\periodic scheduled pen tests for app coveragePT.2.3DEPLOYMENTuse external pen testers to perform deep dive (one-off bugs/fresh thinking) PT.3.1DEPLOYMENTfhave SSG customize pen testing (tools and scripts)PT.3.2DEPLOYMENTDEPLOYMENTDEPLOYMENTDEPLOYMENTDEPLOYMENTDEPLOYMENTDEPLOYMENTDEPLOYMENTDEPLOYMENTDEPLOYMENTDEPLOYMENTyxwvidentify software bugs found in ops monitoring and feed back to devztrack software bugs found during ops through the fix processfix all occurrences of software bugs from ops in the codebase (T: code review) Duse application input monitoring SE.1.1Zensure host/network security basics in placeSE.1.2*use code protection SE.2.1Xpublish installation guides created by SSDLSE.2.2huse application behavior monitoring and diagnosticsSE.2.3$use code signing SE.3.1enhance dev processes (SSDL) to prevent cause of software bugs found in opsCMVM.1.1CMVM.1.2CMVM.2.1CMVM.2.2CMVM.2.3CMVM.3.1CMVM.3.2DEPLOYMENTBSI-MM-Projectbase Draft,IT Committee Approval"PnP Sub ApprovalExec ApprovalhIntegrate drivers from OWASP top-10 and SANS top-25 :Policy Subcommittee Approval Etc& .{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Arial;}} {\*\generator Riched20 12.0.6211.1000;}\viewkind4\uc1 \pard\f0\fs16 Can map to AM1.1 and CR1.1 if no sec-bugs have yet been identified through related internal QA process\par \par } GOVERNANCEGOVERNANCEGOVERNANCEGOVERNANCEGOVERNANCEGOVERNANCEGOVERNANCEGOVERNANCE2BSI-MM Activites Listing(BSI-MM-Project-baseP6@ h\00(5p00IhŰN͐և!e@@88&No Group,@- _`3`@ f_@ "s@ .t@ ]@ J@ @ |@ js@ vt@  \@ l@ j@ 6@ |@ s@ t@ @ \@ -_6@ "\@ .\@ G_6@ ^\@ j\@ ]@ a_6@ \@ \@ r@ 3@ {_6@ @ "3@ _6@ \@ 4@ T3@ _6@ \s@ \t@ \@ \@ \@ _6@ ]@ ]@ _@ s@ t@ @ @ 6@ $s@ $t@ $@ *@ *3@ F6@ `@  +3@ 6@ +@ t+3@ 6@ +@ +3@ 6@ ,@ \,3@ f6@ n,@ ,3@ 6@ ,@ |-3@ 6@ -@ -3@ >6@ -@ .3@ 6@ $.@ .3@ 6@ @ 6@ /s@ /t@ /@ /@ 043@ b6@ 0@ @43@ 6@ t0@ P43@ 6@ 0@ `43@ @6@ 0@ p43@ 6@ 1@ 43@ 6@ 2@ 43@  6@ 62@ 43@ h 6@ 2@ 43@ 6@ !2@ !43@ ! 6@ "B3@ "43@ ", 6@ #3@ #43@ #\ 6@ .V @ .v 6@ .4s@ .4t@ .5@ /$5@ /53@ / 6@ 05@ 063@ 0 6@ 16@ 1R63@ 10 6@ 2d6@ 263@ 2n 6@ 36@ 3J73@ 3 6@ 4\7@ 473@ 4 6@ 57@ 583@ 5(6@ 68@ 683@ 6f6@ 78@ 7B93@ 76@ 8T9@ 893@ 86@ 9@ 9\6@ 99s@ 99t@ 99@ ::@ ::3@ :6@ ;@ ;;3@ ;6@ <";@ <;3@ <p6@ =;@ =P<3@ =6@ >d<@ ><3@ >(6@ ?<@ ?=3@ ?6@ @=@ @*>3@ @6@ A@ A06@ A>>s@ AJ>t@ AV>@ Br>@ B>3@ B6@ C@ C>3@ C6@ D?@ Dh?3@ D86@ Ez?@ E?3@ E6@ F?@ F@3@ F6@ G(@@ Gl@3@ G@6@ H~@@ H@3@ H6@ I@@ I A3@ I6@ J2A@ JA3@ J<6@ KA@ KA3@ K6@ L@ L6@ LBs@ LBt@ L B@ M6@ NB@ NB3@ N6@ O C@ OJC3@ O6@ P\C@ PC3@ P@6@ QC@ Q0D3@ Q6@ RBD@ RD3@ R6@ SD@ S$E3@ S6@ T6E@ TE3@ T\6@ UE@ UVF3@ U6@ V@ V6@ VhFs@ VtFt@ VF@ WF@ WJ3@ W"6@ XG@ XJ3@ Xd6@ YZG@ YJ3@ Y6@ ZG@ ZJ3@ Z6@ [.H@ [J3@ [*6@ \dH@ \J3@ \l6@ ]H@ ]J3@ ]6@ ^rI@ ^J3@ ^6@ _I@ _K3@ _P6@ `v@ `"K3@ `6@ aI@ a4K3@ a6@ b@ b46@ bFKs@ bRKt@ b^K@ czK@ cK3@ c6@ dL@ dFL3@ d6@ eXL@ eM3@ e6@ fM@ fM3@ fM6@ gM@ gLN3@ g^N6@ hN@ hN3@ hN6@ iO@ i~O3@ iO6@ jO@ jP3@ jP6@ k@P@ kzP3@ kP6@ l@ l6@ lPs@ lPt@ lP@ m(@ mV6@ mHVs@ mTVt@ m`V@ s @ sH!6@ s|Vs@ sVt@ sV@ tb!@ t*[3@ t!6@ uV@ u@[3@ u\"6@ vv"@ vV[3@ v"6@ wS6@ XS@ S3@ S6@ S@ T3@ T6@ T@ U3@ *U6@ ^X@ X3@ ^U6@ X@ Y3@ xU6@ (Y@ VY3@ U6@ hY@ Y3@ U6@ Y@ BZ3@ U6@ TZ@ |Z3@ U6@ Z@ [3@ [6@ $]@ ^@ _6@ ]@ ]@ ]@ ^@  @ (d @ (d @ (d }@ "d@ d@ (d@ (d ~@ "h\00(5p00IhŰN͐և!e@@88@ "d&No Group,@- @-No Group% +]@"D45&No GroupProps  "PEProps ~GFixedMeta}$VarMetaE|0      !#$%&'()*+,-./0123456789:;<=>?@ABCDFGHIJKLMPQRSTUVWXY\]^_`abcdefghijklmnopqrstuvwxyz{|}~GG|@TBkndTask,TBkndRsc,TBkndCal,TBkndAssn,TBkndCons,TBkndOutlCode@@@3$@'$@@"3$@)3$*@BSI-MM-Project-base @David Kadow@Standard@@$@@@@@@@@@@@@@@` @  @ !@'$@%@&@'@(@)@nz~DTmdn*@+@,@-@.@/@0@1@2@3@4@5@6@7@8@9@:@;@<@=@>@?@A@B@C@D@E@F@G@K@M@N@O@P@Q@ R@S@ T@U@V@W@ X@Y@ Z@[@\@]@^@ @-@ @d w@@@@@x` ` ` x` ` ` x` ` ` x` ` ` x` ` ` @@@@~ˠ*mC@@@@@@@@@@@@@@@@@@@@ @@@@.@ @@ @@)3$@@@@@@@@ @USD@@@@@@@M ZKvg@@@@@@N_`3@! V@  @ @ d@ (db@ d@ (d@ "d"@ (d@ (d@ "d \@ d@@ d@ (d@ (dG@ (d @ "d @ (d @ (d@ (dR@ (d@ (d @ "d@ dm@ (dx@ "d @ d@@ (d@ d @ (d @ (d @ (d }@ "d@ d@ (d@ (d ~@ "d@@ d@ d@ (dy@ "dz@ "d@ (d@ (d {@ "d@|@ "d @ (d &@ " '@ " d@ * c@ * @ " @ " @ "$ @ ( @ * @ (, @ (. @ 2 @ 6 @ (: @ (< @ (@ @ (B @ (F @ (J @ (N @ (P @ (R @ (V @ (X #@ (\ $@ (` )@ hd *@ hh +@ hl ,@ hp @ (t e@ (x @ (z @ (| !@ (~ @ ( @ ( ]@  @  q@  r@  @ ` %@ " (@ " @ ( @  @ h @ (e @ (e @ (e @ (e @ (e @ (e @ (e @ e @ (e @ e @ e @ (e@ @ @ e@ e@ e@ e@ e@  @  @ J @  p@  @ 3@ 6@ 9@ <@ ?@ B@ C@ D@ E@ F@ 4@ 5@ 7@ 8@ :@ ;@ =@ >@  @@ !A@ "@ #@ $@ %@ &@ '@ ( @ )!@ *"@ +#@ ,s@ -W@ .X@ /Y@ 0Z@ 1[@ 2.@ 3/@ 40@ 51@ 62@ 7g@ 8@ 9h@ :@ ;i@ <@ =@ >Q@ ?@ @R@ A@ BS@ C@ DT@ E@ FU@ G@ HV@ I@ JW@ K|@  L@ LM@ Nv@ O@ P @ Q @ R @ S @ T @ U@ V@ W@ X@ Y@ Z=@ [>@ \?@ ]@@ ^A@ _B@ `C@ aD@ bE@ cF@ dG@ eH@ fI@ gJ@ hK@ iL@ jM@ kN@ lO@ mP@ n3@ o4@ p5@ q6@ r7@ s8@ t9@ u:@ v;@ w<@ xu@ y@ z@ {@ |@ }@ ~@ @ @ @ @ @ @ H@ I@ J@ K@  L@ @M@ N@ O@ P@  Q@  $@  %@  &@  @'@ (@ )@ *@ +@ ,@ -@ @  @  @  @   @  @@  @  @  @   @   @   @   @   @@  @  @  @  @  @  @  @ j@ ek@ el@ e@ e@ e@ e@ e@ e@ e@ e@ @ X@ Y@ Z@ [@ \@ i@ j@ k@ l@ m@ @ @ ^@ @ @ @ @ e V@  @ @ d@ (db@ d@ (d@ "d"@ (d@ (d@ "d \@ d@@ d@ (d@ (dG@ (d @ "d @ (d @ (d@ (dR@ (d@ (d @ "d@ dm@ (dx@ "d @ d@@ (d@ d @ (d @ (d @ (d }@ "d@ d@ (d@ (d ~@ "d@@ d@ d@ (dy@ "dz@ "d@ (d@ (d {@ "d@|@ "d @ (d &@ " '@ " d@ * c@ * @ " @ " @ "$ @ ( @ * @ (, @ (. @ 2 @ 6 @ (: @ (< @ (@ @ (B @ (F @ (J @ (N @ (P @ (R @ (V @ (X #@ (\ $@ (` )@ hd *@ hh +@ hl ,@ hp @ (t e@ (x @ (z @ (| !@ (~ @ ( @ ( ]@  @  q@  r@  @ ` %@ " (@ " @ ( @  @ h @ (e @ (e @ (e @ (e @ (e @ (e @ (e @ e @ (e @ e @ e @ (e@ @ @ e@ e@ e@ e@ e@  @  @ J @  p@  @ 3@ 6@ 9@ <@ ?@ B@ C@ D@ E@ F@ 4@ 5@ 7@ 8@ :@ ;@ =@ >@  @@ !A@ "@ #@ $@ %@ &@ '@ ( @ )!@ *"@ +#@ ,s@ -W@ .X@ /Y@ 0Z@ 1[@ 2.@ 3/@ 40@ 51@ 62@ 7g@ 8@ 9h@ :@ ;i@ <@ =@ >Q@ ?@ @R@ A@ BS@ C@ DT@ E@ FU@ G@ HV@ I@ JW@ K|@  L@ LM@ Nv@ O@ P @ Q @ R @ S @ T @ U@ V@ W@ X@ Y@ Z=@ [>@ \?@ ]@@ ^A@ _B@ `C@ aD@ bE@ cF@ dG@ eH@ fI@ gJ@ hK@ iL@ jM@ kN@ lO@ mP@ n3@ o4@ p5@ q6@ r7@ s8@ t9@ u:@ v;@ w<@ xu@ y@ z@ {@ |@ }@ ~@ @ @ @ @ @ @ H@ I@ J@ K@  L@ @M@ N@ O@ P@  Q@  $@  %@  &@  @'@ (@ )@ *@ +@ ,@ -@ @  @  @  @   @  @@  @  @  @   @   @   @   @   @@  @  @  @  @  @  @  @ j@ ek@ el@ e@ e@ e@ e@ e@ e@ e@ e@ @ X@ Y@ Z@ [@ \@ i@ j@ k@ l@ m@ @ @ ^@ @ @ @ @  w@ H y@ ( @ (H( ~@ (, @ (. @ 2 @ "@ @ @ @ e@ e@ @ @ e@ ʀ@ ʀ@ ʀ@ @ @ e@ e@ @ @ e@ ʀ@ ʀ@ ʀ@ @ @ e@ e@ @ @ e@ ʀ@ ʀ@ ʀ@ @ @ e@ e@  @  @ e @ ʀ @ ʀ @ ʀ@ @ @ e@ e@ @ @ e@ ʀ@ ʀ@ ʀ @ !@ "@ e#@ e%@ &@ '@ e(@ ʀ)@ ʀ*@ ʀ+@ ,@ -@ e.@ e0@ 1@ 2@ e3@ ʀ4@ ʀ5@ ʀ6@ 7@ 8@ e9@ e;@ <@ =@ e>@ ʀ?@ ʀ@@ ʀA@ B@ C@ eD@ eF@ G@ H@ eI@ ʀJ@ ʀK@ ʀL@ M@ N@ eO@ eQ@ R@ S@ eT@ ʀU@ ʀV@ ʀW@ e X@ e Y@ e Z@ e [@ e \@ e]@ e^@ e_@ e`@ ea@ b@ c@ d@ e@ f@ g@ h@ i@ j@ k@ l@ m@ n@  o@ !p@ "q@ #r@ $s@ %t@ &u@ 'v@ (w@ )x@ *y@ +z@ ,{@ -|@ .}@ /~@ 0@ 1@ 2@ 3@ 4@ 5@ 6@ 7@ 8@ 9@ :@ ;@ <@ =@ >@ ?@ @@ A@ B@ C@ @ @ @ @  @ @@ @ @ @  @  @  @  @  @@ @ @ @ @ @ @ @  @  @  @   @  @@  @  @  @   @   @   @   @   @@  @  @  @  @  @  @  D@ E@ F@ G@ H@ I@ J@ K@ L@ M@ N@ O@ P@ Q@ R@ S@ T@ U@ V@ W@ X@ Y@ Z@ [@ \@ ]@ ^@ _@ `@ a@ b@ c@ d@ e@ f@ g@ h@ i@ j@ k@ l@ ʠm@ ʠn@ ʠo@ ʠp@ ʠq@ ʠr@ ʠs@ ʠt@ ʠu@ ʠv@ ʠw@ ʠx@ ʠy@ ʠz@ ʠ{@ ʠ|@ ʠ}@ ʠ~@ ʠ @ ʠ @ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʀ @ ʀ!@ ʀ"@ ʀ#@ ʀ$@ ʀ%@ ʀ&@ ʀ'@ ʀ(@ ʀ)@ ʀ*@ ʀ+@ ʀ,@ ʀ-@ ʀ.@ ʀ/@ ʀ0@ ʀ1@ ʀ2@ ʀ3@ ʀ4@ ʀ5@ ʀ6@ ʀ7@ ʀ8@ ʀ9@ ʀ:@ ʀ;@ ʀ<@ ʀ=@ ʀ>@ ʀ?@ ʀ@@ ʀA@ ʀB@ ʀC@ ʀD@ ʀE@ ʀF@ ʀQ@ eR@ eS@ eT@ eU@ eV@ eW@ eX@ eY@ eZ@ e[@ \@ ]@ ^@ _@ `@ a@ b@ c@ d@ e@ f@ g@ h@ i@ j@ k@ l@ m@ n@ o@ p@ q@ r@ s@ t@ u@ v@ w@ x@ y@ z@ {@ |@ }@ ~@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ @ ʠ @ ʠ @ ʠ@ @ @ @  @ @@ @ @ @  @  @  @  @  @@ @ @ @ @ @ @ @  @  @  @   @  @@  @  @  @   @   @   @   @   @@  @  @  @  @  @  @   @  @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @  @ !@ "@ #@ $ @ % @ & @ ' @ ( @ )@ *@ +@ ,@ -@ .@ /@ 0@ 1@ 2@ 3@ 4@ ʀ5@ ʀ6@ ʀ7@ ʀ8@ ʀ9@ ʀ:@ ʀ; @ ʀ<!@ ʀ="@ ʀ>#@ ʀ?$@ ʀ@%@ ʀA&@ ʀB'@ ʀC(@ ʀD)@ ʀE*@ ʀF+@ ʀG,@ ʀH-@ ʀI.@ ʀJ/@ ʀK0@ ʀL1@ ʀM2@ ʀN3@ ʀO4@ ʀP5@ ʀQ6@ ʀR7@ ʀS8@ ʀT9@ ʀU:@ ʀV;@ ʀW<@ ʀX=@ ʀY>@ ʀZ?@ ʀ[@@ ʀ\_@ ]c@ ʐ^b@ _s@ e`t@ ea@ Hb@ Hc@ ed@ ee@ f@ g@ eh@ ei@ ʐj@ ʐk@ l@ m@ n@ eo@ ep@ ʐq@ ʐr@ s@ t@ u@ ev@ ew@ ʐx@ ʐy@ z@ {@ |@ e}@ e~@ ʐ@ ʐ@ @ @ @ e@ e@ ʐ@ ʐ@ @ @ @ e@ e@ ʐ@ ʐ@ @ @ @ e@ e@ ʐ@ ʐ@ @ @ @ e@ e@ ʐ@ ʐ@ @ @ @ e@ e@ ʐ@ ʐ@ @ @ @ e@ e@ ʐ@ ʐ@ @ @ @ e@ e@ ʐ@ ʐz@ H@ @ @ {@ x@ H@ @ @ 6@ @  @ Q@ d@ (d"@ d@ dR@ (d]@ (d ;@ (d*@ (dT@ d@ d@ (d<@ (d Q@ (d@S@ (d F@ ( G@ 8 @ ( @ ( 8@  9@ h :@ h @ 8$ @ 8, @ (f4 @ e< @ eD @ (eL @ eT @ 8e\ @ ed &@ el '@ et (@ e| @ f @ 0e @ 0e @ 8e @ 0e /@ 0e 0@ 0e 1@ 0e@ U@ @ @  @ #@ @ +@  7@  @   @  @  @  @ a@ b@ c@ d@ e@ @ @ @ @ @ @ @ @ @ @ @ @  @ !@ "@ #@ $@ %@ &@ '@ (f@ )g@ *h@ +i@ ,j@ -@ .@ /@ 0@ 1@ 2k@ 3l@ 4m@ 5n@ 6o@ 7@ 8@ 9@ :@ ;@ <p@ =q@ >r@ ?s@ @t@ A@ B@ C@ D@ E@ F@ G@ H@ I@ J@ K@ L@ M@ N@ O@ Pu@ Qv@ Rw@ S@ T@ U@ V@ W@ X@ Y@ Zx@ [y@ \z@ ]@ ^@ _@ `@ a@ b@ c@ d@ heW@ f@ g@ h@ i@ j@ k@ l@ m@ n@ o@ p@ q@ r@ s@ t@ u@ v!@ w#@ x%@ y'@ z)@ ~@ @ @ @  @ @@ @ @ @  @  @  @  @  @@ @ @ @ @ @ @ >@  ?@  @@  A@   B@  @C@  D@  E@  F@   =@   G@   H@   I@   @J@  K@  L@  M@  N@  O@  P@  {@ |@ }{@ e~|@ e}@ e@ e@ e@ e@ e@ e@ e@ e=@ >@ ?@ @@ A@ D@ E@ @ D< @  @ Q@ d@ (d"@ d@ dR@ (d]@ (d ;@ (d*@ (dT@ d@ d@ (d<@ (d Q@ (d@S@ (d F@ ( G@ 8 @ ( @ ( 8@  9@ h :@ h @ 8$ @ 8, @ (f4 @ e< @ eD @ (eL @ eT @ 8e\ @ ed &@ el '@ et (@ e| @ f @ 0e @ 0e @ 8e @ 0e /@ 0e 0@ 0e 1@ 0e@ U@ @ @  @ #@ @ +@  7@  @   @  @  @  @ a@ b@ c@ d@ e@ @ @ @ @ @ @ @ @ @ @ @ @  @ !@ "@ #@ $@ %@ &@ '@ (f@ )g@ *h@ +i@ ,j@ -@ .@ /@ 0@ 1@ 2k@ 3l@ 4m@ 5n@ 6o@ 7@ 8@ 9@ :@ ;@ <p@ =q@ >r@ ?s@ @t@ A@ B@ C@ D@ E@ F@ G@ H@ I@ J@ K@ L@ M@ N@ O@ Pu@ Qv@ Rw@ S@ T@ U@ V@ W@ X@ Y@ Zx@ [y@ \z@ ]@ ^@ _@ `@ a@ b@ c@ d@ heW@ f@ g@ h@ i@ j@ k@ l@ m@ n@ o@ p@ q@ r@ s@ t@ u@ v!@ w#@ x%@ y'@ z)@ ~@ @ @ @  @ @@ @ @ @  @  @  @  @  @@ @ @ @ @ @ @ >@  ?@  @@  A@   B@  @C@  D@  E@  F@   =@   G@   H@   I@   @J@  K@  L@  M@  N@  O@  P@  {@ |@ }{@ e~|@ e}@ e@ e@ e@ e@ e@ e@ e@ e=@ >@ ?@ @@ A@ D@ E@ @  @ H @ (@ (d@@ "d@ (d@ (d @ HU@ @ e@ e@ e@ e@ e@ e@ e@ e@ e@ e@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @  @ @@ @ @ @  @  @  @  @  @@ @  @  @  @  @  @ @  @  @  @   @  @@  @  @  @   @   @   @   @   @@  @  @  @  @   @  !@  "@ #@ $@ %@ &@ '@ (@ )@ *@ +@ ,@ -@ .@ /@ 0@ 1@ 2@ 3@ 4@ 5@ 6@ 7@ 8@ 9@ :@ ;@ <@ =@ >@ ?@ @@ A@ B@ C@ D@ E@ F@ G@ H@ I@ K@ ʠM@ ʠO@ ʠQ@ ʠS@ ʠU@ ʠW@ ʠY@ ʠ[@ ʠ]@ ʠ_@ ʠa@ ʠc@ ʠe@ ʠg@ ʠi@ ʠk@ ʠm@ ʠo@ ʠq@ ʠs@ ʠ u@ ʠ w@ ʠ y@ ʠ {@ ʠ }@ ʠ@ ʠ@ ʠ@ ʠ@ ʠ@ ʀ@ ʀ@ ʀ@ ʀ@ ʀ@ ʀ@ ʀ@ ʀ@ ʀ@ ʀ@ ʀ@ ʀ@ ʀ@ ʀ @ ʀ!@ ʀ"@ ʀ#@ ʀ$@ ʀ%@ ʀ&@ ʀ'@ ʀ(@ ʀ)@ ʀ*@ ʀ+@ ʀ,@ ʀ-@ ʀ.@ ʀ/@ ʀ0@ ʀ1@ ʀ2@ ʀ3@ ʀ4@ ʀ5@ ʀ6@ ʀ7@ ʀ8@ ʀ9@ ʀ@ :@ ;@ <@ =@ >@ ?@ @@ A@ B@ C@ D@ E@ eF@ eG@ HH@ HI@ eJ@ eK@ eL@ eM@ ʐN@ ʐO@ eP@ eQ@ ʐR@ ʐS@ eT@ eU@ ʐV@ ʐW@ eX@ eY@ ʐZ@ ʐ[@ e\@ e]@ ʐ^@ ʐ_@ e` @ ea @ ʐb @ ʐc @ ed @ ee@ ʐf@ ʐg@ eh@ ei@ ʐj@ ʐk@ el@ em@ ʐn@ ʐo@ ep@ eq@ ʐr@ ʐs@ et@ eu@ ʐv@ ʐ @ w!@ xV@ eyW@ ez^@ {_@ |`@ e}a@ e~h@ i@ j@ ek@ er@ s@ t@ eu@ e|@ }@ ~@ e@ e@ @ @ e@ e@ @ @ e@ e@ @ @ e@ e@ @ @ e@ e@ @ @ e@ e@ @ @ @ @  @ '( @  @  @ ( @ @ d@ (d @ d@ @ @ J @  @ ( @ @ d@ (d @ d@ @ @ J @ H @ H @ H @ d@"@ d@ h@ 0wX@l @ D@ d@(d@ d(@(d)@(d*@(dH@(d I@(d@@(dL@(dN@(dS@ d T@ d @(d F@ d@(dK@(d@ d @(d @(d @(d  @( @( @( @( @( @( 7@( @(" P@($ @(( @(, @(0 Q@`4 @(6 @(f> @(eF @(eN @(eV @(e^ @(ef @(en @(ev @ e~ @(e @(e @e @e@e@e@eG@1@@ 2@ 3@ 4@ 5@ W@6@X@Y@Z@[@\@]@^@_@`@a@@@@@@@@ @!@"@#@$@%@&@'@(@)@*@+@,@-b@.c@/d@0e@1f@2@3@4@5@6@7g@8h@9i@:j@;k@<@=@>@?@@@Al@Bm@Cn@Do@Ep@F@G@H@I@J@K@L@M@N@O@P@Q@R@S@T@Uq@Vr@Ws@X@Y@Z@[@\@]@^@_t@`u@av@b@c@d@e@f@g@h@i@\j@k@l@m@n@o@p@q@r@s@t@u@v@w @z@  {@ |@ }@ ~@  @ @@ @ @ @  @  @  @  @@ @ @ @ @ @ @ x@@yA@zC@{@|@}@@ ~@@w@ex@ey@e@e@e@e@e@e@e@e$= @ D@ d@(d@ d(@(d)@(d*@(dH@(d I@(d@@(dL@(dN@(dS@ d T@ d @(d F@ d@(dK@(d@ d @(d @(d @(d  @( @( @( @( @( @( 7@( @(" P@($ @(( @(, @(0 Q@`4 @(6 @(f> @(eF @(eN @(eV @(e^ @(ef @(en @(ev @ e~ @(e @(e @e @e@e@e@eG@1@@ 2@ 3@ 4@ 5@ W@6@X@Y@Z@[@\@]@^@_@`@a@@@@@@@@ @!@"@#@$@%@&@'@(@)@*@+@,@-b@.c@/d@0e@1f@2@3@4@5@6@7g@8h@9i@:j@;k@<@=@>@?@@@Al@Bm@Cn@Do@Ep@F@G@H@I@J@K@L@M@N@O@P@Q@R@S@T@Uq@Vr@Ws@X@Y@Z@[@\@]@^@_t@`u@av@b@c@d@e@f@g@h@i@\j@k@l@m@n@o@p@q@r@s@t@u@v@w @z@  {@ |@ }@ ~@  @ @@ @ @ @  @  @  @  @@ @ @ @ @ @ @ x@@yA@zC@{@|@}@@ ~@@w@ex@ey@e@e@e@e@e@e@e@e |@ H@(d@(d@(d@ d }@(H ~@(H @}@e~@e@e@e@e@e@e@e@e@e@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ @ @  @ @@ @ @ @  @  @  @  @  @@ @ @ @ @ @ @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ @ʀ @ʀ @ʀ @ʀ @ʀ@ʀ @ʀ @ʀ @ʀ @ʀ @ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ@ʀ @H?@ʠ@@ʠA@ʠB@ʠC@ʠD@ʠE@ʠF@ʠ G@ʠ!H@ʠ"I@ʠ#J@ʠ$K@ʠ%L@ʠ&M@ʠ'N@ʠ(O@ʠ)P@ʠ*Q@ʠ+R@ʠ,S@ʠ-T@ʠ.U@ʠ/V@ʠ0W@ʠ1X@ʠ2Y@ʠ3Z@ʠ4[@ʠ5\@ʠ6]@7a@8c@9e@:g@;i@<k@=m@>o@?q@@s@Au@Bv@eCw@eDx@Ey@Fz@G@eH@eI@ʀJ@ʀK@eL@eM@ʐN@ʐO@eP@eQ@ʐR@ʐS@eT@eU@ʐV@ʐW@eX@eY@ʐZ@ʐ[@e\@e]@ʐ^@ʐ_@e`@ea@ʐb@ʐc@ed@ee@ʐf@ʐg@eh@ei@ʐj@ʐk@el@em@ʐn@ʐo@ep@eq@ʐr@ʐs@et@eu@ʐv@ʐw@x@y'@z(@{!@e|"@e})@e~#@$@%@0@1@*@e+@e2@e,@-@.@9@:@3@e4@e;@e5@6@7@B@C@<@e=@eD@e>@?@@@K@L@E@eF@eM@eG@H@I@T@U@N@eO@eV@eP@Q@R@]@^@W@eX@e_@eY@Z@[@f@g@`@ea@eh@eb@c@d@o@p@i@ej@eq@ek@l@m@x@y@r@es@ez@et@u@v@|@{@@@@H@@H@/0@ @ @ d@ d @( @( @( @( @(4 @ @ d@ d @( @( @( @( @( @ H @(H @(H 0  @ @  @ @ d@ d@ d@(d@(d @  @(@ @  @ @ d@ d@ d@(d@(d @  @(@ @ H @ H @(H0 @(@@@@@2T @Application Security Program DevelopmentLELEr@CV_iew,CFilter,CTable,CReport,CUdm,CEdl,CCommandBar,CMap,CVba,CGrouping"@@Arial Arial Arial Arial@ d dd d d ddddd dddd d@d d d d d d!d"d#d $d@%d&d'd(d)d*d+d ,d@-d< .h/l0|123455H67$8&9@:D;H<4=8><?@@DAHBLCDPETF\G`HtIxJKLMN$O# VP(Q*R SXTfUVW Xd@{84B87A6E-85F8-447E-9854-AC6DC3646EA4}@@@@@oj@Tracking Ga&nttj@ @ @ @ @@@@ @@@@@@@@@@@@@@ @!@"@gbui://mainpage.htm$@Z@ NameWork Completed, Remaining Work!@ %@gbui://gbui.xml&@ '@(@)@*@+@,@-@.@] @4# @  @ (hl @ (@ ( n @"(p @"(r @"(@ @"@" z +@" H@& @  @ (hl @ (@ ( @ @ n @ (h @ H.@$ @  @ (hl @ (@ ( @ @ n @ (h @ H@* @  @ (hl @ (@ ( n @#(@  @# v @# H@, @  @ (hl @ (@ ( n @'(@  @'p @' H @@ @ ( @ (hl @ (@ ( n @&(r @&(t @&(x @&(| @&( @&( @&( @&( ;@&(@ :@&E >@& H@TN @) @)D @) H      @~k @  @ (hl @ (@ ( @ @!n @! H      @    x  @ @  @ (hl @ (@ ( @ @-n @-(h @- HFixedDataCBtVar2DatarxFixedMetaVarMetaI~FixedDataGFVar2DataFixedMetaMVarMetaFixedDataKJ2a400000_ffffffff$FixedMeta&VarMetaQ0FixedDataON@Var2Data FixedMetaVarMetaUFixedDataSRVar2DataFixedMetaVarMetaYFixedDataWVVar2DataFixedMetaVarMeta]$FixedData[ZVar2Data.FixedMetaVarMetaa$FixedData_^Var2DataFixedMeta$VarMetaeHFixedDatacbVar2Data[]1ؗAOQ? x@ <@ TSBC"@&&@&[ @& Tracking Ga&ntt @& Entry(@&@ 6@ @ 3@ @ #@ $@ /@ 1@ @ ,5@&  z{|}~  !"#./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmstuvwxy=@&=@&(;Nat"5H[n,?Rex#6I\o-@Sfy$7J]p.ATgz%8K^q /BUh{  & 9 L _ r  (hp e44CU[[Veix  "33&(j G .$@&  z{|}~ '@&(@& *@&+@&@-@&6@&1@&\\cmna.net\proddfs\shared\ISG\USIT-TSAG\Projects&Roadmaps\P09-000 Application Security Program\BSI-MM-Project-base.mpp! "@&&@&[ @& Tracking Ga&ntt @& Entry@&6@ $@&z'@&(@& *@&+@&@-@&1@&\\cmna.net\proddfs\shared\ISG\USIT-TSAG\Projects&Roadmaps\P09-000 Application Security Program\BSI-MM-Project-base.mpp!LINK_2=Nn LINK_2GQDYM&{P @ @ @* @ !@  6@ "@ : 3@ "@ "#@ "$@ "/@  1@   @ "DomainTask NameObjective Code @ @ @  @ #@ $@ /@ 1@ 3@ 6@ @ &Entry&@  @ Entry FK"vK<. LG.@  ldtasks&All Tasks.@  @ All Tasksw1Kt2f @ &Gantt Chart>.D[fTracking Ga&nttfI"$*** %@"@  l[ @" Entry @" &All Tasks@" No Group @"d*@" Gantt Chart>@"# # @"#@"@ 8 &@"8 Standard #@ $@ 1@ #@ $@  )@ w@ $@ $@ $@ #@ $@ #@ $@ #@ $@ #@ $@ #@ $@   )@ w@  $@ $@  #@ $@  $@ $@  $@  # @ @  @ @  @ @ @ @  @ @  @ @ @ @ TaskSplitProgressMilestoneSummaryProject Summary*Group By Summary*Rolled Up Task*Rolled Up Split*Rolled Up Progress*Rolled Up MilestoneExternal TasksExternal MilestoneDeadline*Deliverable Start*Deliverable Finish*Deliverable Duration*Dependency Start*Dependency Finish*Dependency Duration@"@   ! ddGG8 Standard #@ $@ 1@ #@ $@  )@ w@ $@ $@ $@ #@ $@ #@ $@ #@ $@ #@ $@ #@ $@   )@ w@  $@ $@  #@ $@  $@ $@  $@  # @ @ #@ $@ #@ $@ #@ $@ #@ $@ #@ $@ #@ $@ TaskSplitProgressMilestoneSummaryProject Summary*Group By Summary*Rolled Up Task*Rolled Up Split*Rolled Up Progress*Rolled Up MilestoneExternal TasksExternal MilestoneDeadline*Deliverable Start*Deliverable Finish*Deliverable Duration*Dependency Start*Dependency Finish*Dependency Duration8@"/// %@"@  a% @" Entry @" All Tasks@" No Group @"d*@" Tracking Gantt@"#@"@ >@"#  #&@"Standard!o #@ $@ @ j#@ $@ )@ w@ #@ $@  @ k#@ $@ " )@ w@ %+@ ,@ )+@ ,@ -$@ $@ 1,@ ,@ 7$@ $@ $@ #@ t@ ;#@ $@  @ l#@ $@ #@ $@ #@ $@  @ m#@ $@ G)@ w@ M#@ $@  @ n#@ $@ Q)@ w@ W+@ ,@ ] ,@ ,@ b-$@ $@ h#@ $@ i$@ $@  $@  # @ @  @ @  @ @ @ @  @ @  @ @ @ @ CriticalCritical SplitCritical ProgressTaskSplitTask ProgressBaselineBaseline SplitBaseline MilestoneMilestoneSummary ProgressSummaryProject Summary*Group By Summary*Rolled Up Critical*Rolled Up Critical Split*Rolled Up Critical Progress*Rolled Up Task*Rolled Up Split*Rolled Up Task Progress*Rolled Up Baseline*Rolled Up Baseline Milestone*Rolled Up MilestoneExternal TasksExternal MilestoneDeadline*Deliverable Start*Deliverable Finish*Deliverable Duration*Dependency Start*Dependency Finish*Dependency Duration@"@   ! ddGX Standard!o #@ $@ @ j#@ $@ )@ w@ #@ $@  @ k#@ $@ " )@ w@ %+@ ,@ )+@ ,@ -$@ $@ 1,@ ,@ 7$@ $@ $@ #@ t@ ;#@ $@  @ l#@ $@ #@ $@ #@ $@  @ m#@ $@ G)@ w@ M#@ $@  @ n#@ $@ Q)@ w@ W+@ ,@ ] ,@ ,@ b-$@ $@ h#@ $@ i$@ $@  $@  # @ @ #@ $@ #@ $@ #@ $@ #@ $@ #@ $@ #@ $@ CriticalCritical SplitCritical ProgressTaskSplitTask ProgressBaselineBaseline SplitBaseline MilestoneMilestoneSummary ProgressSummaryProject Summary*Group By Summary*Rolled Up Critical*Rolled Up Critical Split*Rolled Up Critical Progress*Rolled Up Task*Rolled Up Split*Rolled Up Task Progress*Rolled Up Baseline*Rolled Up Baseline Milestone*Rolled Up MilestoneExternal TasksExternal MilestoneDeadline*Deliverable Start*Deliverable Finish*Deliverable Duration*Dependency Start*Dependency Finish*Dependency Duration8@"0 @"@  \@ {\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Arial;}} {\*\generator Riched20 12.0.4518.1014;}\viewkind4\uc1 \pard\qc\f0\fs16 Page &P\par } {\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Arial;}} {\*\generator Riched20 12.0.4518.1014;}\viewkind4\uc1 \pard\f0\fs16 Project: &p\par Date: &D\par } {\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Arial;}} {\*\generator Riched20 12.0.4518.1014;}\viewkind4\uc1 \pard\qc\f0\fs16 Page &P\par } {\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Arial;}} {\*\generator Riched20 12.0.4518.1014;}\viewkind4\uc1 \pard\f0\fs16 Project: &p\par Date: &D\par } ]@ Z@"*@ c\@"