cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cclements
Newcomer II

Creating a Secure Application Development Program

Greetings ISC^2 colleagues,

 

I am a freshly minted CSSLP in a newly created role in my organization, Application Security Architect.  My background consists of 20 years in application development.  I was recruited into the security side as a result of my volunteer work as a security champion in our application development community of practice.

 

In this coming year I will be tasked with establishing a secure application development program.  However, we are starting from absolute scratch. For the moment I am not concerned with COTS software.

 

  • We have no documented secure code guidelines.
  • We have zero secure code training for application developers. 
  • We do not perform manual security code reviews.
  • We have no SCA or SAST tools, or they are not widely used.  
  • We do not perform DAST or pen-testing of deployed applications.

For those of you that have worked or are working in organizations that have established and mature Secure SDLC programs, what does it look like?  Where do I begin?   It feels like my points above are an outline.

7 Replies
tmekelburg1
Community Champion

I always think it's best when starting a new program from scratch, is start with a framework.

 

Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of...

swh5a01
Newcomer II

@cclements , I suggested to starts with code-reviews and you could actually find what is happening and how you can start the trainings.

 

After the adjustment, find the SCA/SAST into the CI/CD would definitely help on your next. 

 

This is how I did in my situation and it could balance the works and efficient of the program introduction. 

cclements
Newcomer II

Thank you for this suggestion. It appears I have some light reading ahead of me.
cclements
Newcomer II

Thank you for the suggestions. I considered starting with the OWASP code review guide. It seems the simplest way to get started.
tmekelburg1
Community Champion

@cclements And policies to write. Just don't reinvent the wheel and try to do it all on your own. There are templates all over the Internet that can be modified for your specific program.

iluom
Contributor II

Hello @cclements ,

 

best way as far as I know is download  OWASP SAMM or BSIMM11 both are great tools for your situation.

SAMM is a prescriptive model, an open framework which is simple to use, fully defined, and measurable. The
solution details are easy enough to follow even for non-security personnel. It helps organizations analyze
their current software security practices, build a security program in defined iterations, show progressive
improvements in secure practices, define, and measure security-related activities.

 

Cheers

Mouli

 

Mouli, CISSP
cclements
Newcomer II

That you for this recommendation Mouli. I will certainly check out the SAMM and BSIM11 frameworks.