Organization and Culture

Model | Governance | Education & Guidance | Organization and Culture

Benefit

Basic embedding of security in the development organization

Activity

Implement a program where each software development team has a member considered a “Security Champion” who is the liaison between Information Security and developers. Depending on the size and structure of the team the “Security Champion” may be a software developer, tester, or a product manager. The “Security Champion” has a set number of hours per week for Information Security related activities. They participate in periodic briefings to increase awareness and expertise in different security disciplines. “Security Champions” have additional training to help develop these roles as Software Security subject-matter experts. You may need to customize the way you create and support “Security Champions” for cultural reasons.

The goals of the position are to increase effectiveness and efficiency of application security and compliance and to strengthen the relationship between various teams and Information Security. To achieve these objectives, “Security Champions” assist with researching, verifying, and prioritizing security and compliance related software defects. They are involved in all Risk Assessments, Threat Assessments, and Architectural Reviews to help identify opportunities to remediate security defects by making the architecture of the application more resilient and reducing the attack threat surface.

In addition to assisting Information Security, “Security Champions” provide periodic reviews of all security-related issues for the project team so everyone is aware of the problems and any current and future remediation efforts. These reviews are leveraged to help brainstorm solutions to more complex problems by engaging the entire development team.

Question

Have you identified a Security Champion for each development team?

Quality criteria

Security Champions receive appropriate training
Application Security and Development teams receive periodic briefings from Security Champions on the overall status of security initiatives and fixes
The Security Champion reviews the results of external testing before adding to the application backlog

Answers

No
Yes, for some teams
Yes, for at least half of the teams
Yes, for most or all of the teams

Benefit

Specific security best practices tailored to the organization

Activity

The organization implements a formal secure coding center of excellence, with architects and senior developers representing the different business units and technology stacks. The team has an official charter and defines standards and best practices to improve software development practices. The goal is to mitigate the way velocity of change in technology, programming languages, and development frameworks and libraries makes it difficult for Information Security professionals to be fully informed of all the technical nuances that impact security. Even developers often struggle keeping up with all the changes and new tools intended to make software development faster, better, and safer.

This ensures all current programming efforts follow industry’s best practices and organization’s development and implementation standards include all critical configuration settings. It helps identify, train, and support “Product Champions”, responsible for assisting different teams with implementing tools that automate, streamline, or improve various aspects of the SDLC. It identifies development teams with higher maturity levels within their SDLC and the practices and tools that enable these achievements, with the goal of replicating them to other teams.

The group provides subject matter expertise, helping information security teams evaluate tools and solutions to improve application security, ensuring these tools are not only useful but also compatible with the way different teams develop applications. Teams looking to make significant architectural changes to their software consult with this group to avoid adversely impacting the SDLC lifecycle or established security controls.

Question

Does the organization have a Secure Software Center of Excellence (SSCE)?

Quality criteria

The SSCE has a charter defining its role in the organization
Development teams review all significant architectural changes with the SSCE
The SSCE publishes SDLC standards and guidelines related to Application Security
Product Champions are responsible for promoting the use of specific security tools

Answers

No
Yes, we started implementing it
Yes, for part of the organization
Yes, for the entire organization

Benefit

Collective development of security know-how among all product teams

Activity

Security is the responsibility of all employees, not just the Information Security team. Deploy communication and knowledge sharing platforms to help developers build communities around different technologies, tools, and programming languages. In these communities employees share information, discuss challenges with other developers, and search the knowledge base for answers to previously discussed issues.

Form communities around roles and responsibilities and enable developers and engineers from different teams and business units to communicate freely and benefit from each other’s expertise. Encourage participation, set up a program to promote those who help the most people as thought leaders, and have management recognize them. In addition to improving application security, this platform may help identify future members of the Secure Software Center of Excellence, or ‘Security Champions’ based on their expertise and willingness to help others.

The Secure Software Center of Excellence and Application Security teams review the information portal regularly for insights into the new and upcoming technologies, as well as opportunities to assist the development community with new initiatives, tools, programs, and training resources. Use the portal to disseminate information about new standards, tools, and resources to all developers for the continued improvement of SDLC maturity and application security.

Question

Is there a centralized portal where developers and application security professionals from different teams and business units are able to communicate and share information?

Quality criteria

The organization promotes use of a single portal across different teams and business units
The portal is used for timely information such as notification of security incidents, tool updates, architectural standard changes, and other related announcements
The portal is widely recognized by developers and architects as a centralized repository of the organization-specific application security information
All content is considered persistent and searchable
The portal provides access to application-specific security metrics

Answers

No
Yes, we started implementing it
Yes, for part of the organization
Yes, for the entire organization