SecDevOps practices are used for application development.
Define and periodically review roles and responsibilities for all SDLC team members, ensuring they incorporate security-related tasks. Designate code ownership, promote cross-functional communication, and adapt roles to support secure development practices, fostering accountability and a strong security culture within the development process.
Establish a Security Champion program within each software development team to enhance application security and foster collaboration between Information Security and development teams. A Security Champion, selected from roles such as developer, tester, or product manager, dedicates a portion of their time to Information Security activities and acts as a liaison between teams. These champions receive specialized training to become subject-matter experts in software security and participate in regular security briefings to stay updated on best practices and emerging threats. The Security Champion's responsibilities include identifying, prioritizing, and addressing security and compliance-related defects, as well as assisting in risk assessments, threat assessments, and architectural reviews. They play a critical role in strengthening the application's resilience by identifying opportunities to reduce attack surfaces and improve design. Security Champions also conduct periodic reviews of security-related issues, ensuring all team members are aware of existing vulnerabilities, ongoing remediation efforts, and future plans. By facilitating brainstorming sessions and promoting cross-functional communication, they help the team collaboratively address complex security challenges, building a robust security culture across the organization.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-02-05-01-01 | Define the role and responsibilities of security champions | Clearly outline the responsibilities of Security Champions, including liaising with the Information Security team, reviewing security defects, and participating in risk and threat assessments. | Preparation | Security team, Development leads, Product managers |
| SSS-02-02-05-01-02 | Select and assign security champions | Identify and assign a Security Champion in each software development team. Select individuals with a strong understanding of the project and an interest in security practices. | Development | Development leads, Security team, HR team |
| SSS-02-02-05-01-03 | Provide specialized training for security champions | Offer additional training programs to help Security Champions become subject-matter experts in application security, compliance, and threat modeling. | Development | Security team, External training providers |
| SSS-02-02-05-01-04 | Establish a regular communication framework | Organize periodic meetings, briefings, and collaborative sessions for Security Champions to share updates, insights, and solutions to common security challenges. | Development | Security team, Development teams |
| SSS-02-02-05-01-05 | Empower champions in security processes | Include Security Champions in critical security processes, such as architectural reviews, risk assessments, and threat modeling, to ensure their involvement in key decision-making. | Deployment | Development teams, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1780) NIST Secure Software Development Framework (PO.2.1) OWASP SAMM: Software Assurance Maturity Model (G-EG-1-B) |
To establish a security community, the organization must foster collaboration and communication among employees involved in software security. Security must be treated as everyone's responsibility, not just the Information Security team's. This involves creating platforms for knowledge sharing, forming communities around roles and responsibilities, and encouraging engagement. Recognition programs promote active participation and identify potential Security Champions. The initiative supports application security improvement and enhances the organization's SDLC maturity by regularly disseminating updates, tools, and training.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-02-05-02-01 | Deploy communication and knowledge-sharing platforms | Implement tools (e.g., forums, Slack, SharePoint) to enable developers and engineers to share information, discuss challenges, and access a knowledge base of previously addressed issues, building communities around technologies, tools, and programming languages. | Preparation | Security Teams |
| SSS-02-02-05-02-02 | Form communities around roles and responsibilities | Create groups based on roles (e.g., developers, testers, engineers) and responsibilities to facilitate cross-team collaboration. Encourage communication across business units, allowing members to share expertise and learn from each other. | Development | Team Leaders |
| SSS-02-02-05-02-03 | Promote participation and recognize contributions | Establish a recognition program to reward employees who contribute the most to the community, promoting them as thought leaders. Use management recognition to encourage participation and foster a culture of knowledge sharing and collaboration. | Deployment | Management Teams |
| SSS-02-02-05-02-04 | Review and maintain the information portal | Have the Secure Software Center of Excellence and Application Security teams regularly review the portal for new insights, identify trends, and provide developers with updates on standards, tools, and training resources to improve SDLC maturity and application security. | Post-deployment | Secure Software Center of Excellence |
| SSS-02-02-05-02-05 | Identify and empower security champions | Use community engagement metrics and contributions to identify future Security Champions. Provide them with resources, responsibilities, and training to further strengthen their role in advancing application security and assisting the development community. | Post-deployment | Application Security Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1780) NIST Secure Software Development Framework (PO.2.1) OWASP SAMM: Software Assurance Maturity Model (G-EG-3-B) |
To enhance application security, provide comprehensive security awareness training to all personnel involved in software development, including management, developers, testers, and auditors. This training should emphasize understanding application security threats, risks, best practices, and secure design principles like Least Privilege, Defense-in-Depth, and Fail Secure. Cover key organizational standards and high-level overviews of vulnerabilities, such as the OWASP Top 10. Training can be developed internally or sourced externally, with a preference for in-person sessions to encourage team discussions. Computer-Based Training (CBT) is an alternative. Use innovative methods like gamification to keep the content engaging and effective. The training must be mandatory and include an auditable sign-off to demonstrate compliance. This initiative ensures that all stakeholders are equipped with the knowledge to mitigate security risks, align with organizational security policies, and contribute to the development of secure software.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-02-05-03-01 | Develop or procure security awareness training | Create or procure training materials tailored to the roles involved in software development, covering secure design principles, organizational standards, and the OWASP Top 10 vulnerabilities. Ensure the content is accessible to both technical and non-technical audiences. | Preparation | Training Teams |
| SSS-02-02-05-03-02 | Deliver training to all relevant stakeholders | Conduct mandatory security awareness training for all employees and contractors involved in the software lifecycle. Deliver training in person for team discussions where possible, or use Computer-Based Training (CBT) as an alternative. | Development | Training Teams |
| SSS-02-02-05-03-03 | Incorporate innovative training methods | Utilize methods such as gamification to engage participants, improve retention of key concepts, and combat desensitization. Tailor the delivery style to maximize effectiveness for diverse learning preferences. | Deployment | Training Teams |
| SSS-02-02-05-03-04 | Track and audit training compliance | Implement a system for auditable sign-offs to ensure all stakeholders complete the training and demonstrate compliance. Use these records for reporting and continuous improvement of training programs. | Post-deployment | Compliance Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1780) NIST Secure Software Development Framework (PO.2.1) OWASP SAMM: Software Assurance Maturity Model (G-EG-1-A) |