Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cclements
Newcomer II
‎12-28-2022 11:08 AM
‎12-28-2022 11:08 AM

Creating a Secure Application Development Program

Greetings ISC^2 colleagues,

 

I am a freshly minted CSSLP in a newly created role in my organization, Application Security Architect.  My background consists of 20 years in application development.  I was recruited into the security side as a result of my volunteer work as a security champion in our application development community of practice.

 

In this coming year I will be tasked with establishing a secure application development program.  However, we are starting from absolute scratch. For the moment I am not concerned with COTS software.

 

  • We have no documented secure code guidelines.
  • We have zero secure code training for application developers. 
  • We do not perform manual security code reviews.
  • We have no SCA or SAST tools, or they are not widely used.  
  • We do not perform DAST or pen-testing of deployed applications.

For those of you that have worked or are working in organizations that have established and mature Secure SDLC programs, what does it look like?  Where do I begin?   It feels like my points above are an outline.

Reply
7 Replies
tmekelburg1
Community Champion
‎12-28-2022 01:45 PM
‎12-28-2022 01:45 PM

I always think it's best when starting a new program from scratch, is start with a framework.

 

Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of...

Reply
swh5a01
Newcomer III
‎12-28-2022 08:15 PM
‎12-28-2022 08:15 PM

@cclements , I suggested to starts with code-reviews and you could actually find what is happening and how you can start the trainings.

 

After the adjustment, find the SCA/SAST into the CI/CD would definitely help on your next. 

 

This is how I did in my situation and it could balance the works and efficient of the program introduction. 

Reply
cclements
Newcomer II
‎12-29-2022 02:06 AM
‎12-29-2022 02:06 AM

Thank you for this suggestion. It appears I have some light reading ahead of me.
Reply
0 Kudos
cclements
Newcomer II
‎12-29-2022 02:07 AM
‎12-29-2022 02:07 AM

Thank you for the suggestions. I considered starting with the OWASP code review guide. It seems the simplest way to get started.
Reply
tmekelburg1
Community Champion
‎12-29-2022 08:18 AM
‎12-29-2022 08:18 AM

@cclements And policies to write. Just don't reinvent the wheel and try to do it all on your own. There are templates all over the Internet that can be modified for your specific program.

Reply
iluom
Contributor II
‎01-11-2023 09:07 AM
‎01-11-2023 09:07 AM

Hello @cclements ,

 

best way as far as I know is download  OWASP SAMM or BSIMM11 both are great tools for your situation.

SAMM is a prescriptive model, an open framework which is simple to use, fully defined, and measurable. The
solution details are easy enough to follow even for non-security personnel. It helps organizations analyze
their current software security practices, build a security program in defined iterations, show progressive
improvements in secure practices, define, and measure security-related activities.

 

Cheers

Mouli

 

Chandra Mouli, CISSP, CCSP, CSSLP
Reply
0 Kudos
cclements
Newcomer II
‎01-17-2023 11:23 AM
‎01-17-2023 11:23 AM

That you for this recommendation Mouli. I will certainly check out the SAMM and BSIM11 frameworks.
Reply
0 Kudos