Secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, and secure programming practices are used as part of application development.
Secure commitment from upper management for secure development, and communicate this support to all development-related personnel. Appoint a leader to oversee the process, raise awareness of insecure development risks, and educate staff on the significance of security-focused practices within the organization.
Develop a comprehensive security strategy that aligns with the organization's business priorities, risk tolerance, and resource constraints. This strategy should include a 1-3 year roadmap addressing application security objectives and detailing tactical and strategic initiatives. The roadmap must align with the organization’s business drivers and threats, balancing financial costs, procedural adjustments, and cultural changes without overburdening teams or resources. Set clear milestones to monitor progress, with frequent assessments to allow for timely adjustments. To ensure success, secure buy-in from stakeholders, including upper management, application security teams, and development teams, emphasizing the importance of their active participation. Publish the strategic plan to ensure transparency and accessibility for all relevant personnel involved in its implementation. This approach raises awareness, fosters collaboration, and embeds security-focused practices across the organization, guided by visible leadership and structured objectives.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-01-06-01-01 | Assess assets, threats, and risk tolerance | Use frameworks like NIST or ISO 27001 to evaluate assets and risks, identifying critical systems and applications to prioritize. | Preparation | Security team, Risk management team, Development leads |
| SSS-02-01-06-01-02 | Develop a security strategic plan and roadmap | Create a 1 to 3-year strategic plan that aligns with business priorities, outlining tactical and strategic initiatives. Include specific initiatives like implementing static code analysis tools, conducting quarterly penetration tests, or creating secure coding guidelines. | Preparation | Security team, Business leaders, Finance team |
| SSS-02-01-06-01-03 | Balance initiatives across financial, process, and cultural changes | Balance budget allocations for new security tools with process changes like DevSecOps integration and cultural initiatives like security training programs. | Development | Security team, HR team, Development teams |
| SSS-02-01-06-01-04 | Obtain stakeholder buy-in and publish the plan | Present the plan in an executive meeting, emphasize alignment with business goals, and share a simplified version with development teams for transparency. | Development | Upper management, Security team, Development teams |
| SSS-02-01-06-01-05 | Track milestones and adjust the roadmap | Monitor progress against defined milestones to measure success. Adjust the roadmap based on feedback and changing business or risk priorities. | Post-deployment | Security team, Project managers, Development teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0401) NIST Secure Software Development Framework (PO.2.3) OWASP SAMM: Software Assurance Maturity Model (G-SM-2-A) |