Greetings ISC^2 colleagues,
I am a freshly minted CSSLP in a newly created role in my organization, Application Security Architect. My background consists of 20 years in application development. I was recruited into the security side as a result of my volunteer work as a security champion in our application development community of practice.
In this coming year I will be tasked with establishing a secure application development program. However, we are starting from absolute scratch. For the moment I am not concerned with COTS software.
For those of you that have worked or are working in organizations that have established and mature Secure SDLC programs, what does it look like? Where do I begin? It feels like my points above are an outline.
I always think it's best when starting a new program from scratch, is start with a framework.
Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of...
@cclements , I suggested to starts with code-reviews and you could actually find what is happening and how you can start the trainings.
After the adjustment, find the SCA/SAST into the CI/CD would definitely help on your next.
This is how I did in my situation and it could balance the works and efficient of the program introduction.
@cclements And policies to write. Just don't reinvent the wheel and try to do it all on your own. There are templates all over the Internet that can be modified for your specific program.
Hello @cclements ,
best way as far as I know is download OWASP SAMM or BSIMM11 both are great tools for your situation.
SAMM is a prescriptive model, an open framework which is simple to use, fully defined, and measurable. The
solution details are easy enough to follow even for non-security personnel. It helps organizations analyze
their current software security practices, build a security program in defined iterations, show progressive
improvements in secure practices, define, and measure security-related activities.