The results of the BSIMM3 study suggest that having a software security group and a senior executive in charge of software security are essential to secure software development. Who should be involved with an enterprise software security group, and what senior executive role should be the software security stakeholder?
Maturity models are a valuable tool as they enable organizations to compare their initiatives, in this case software security, to enterprises with more experience so they can prioritize where to make improvements. The BSIMM3 study found that organizations with mature software development operations typically have a senior executive in charge of software security and a dedicated software security group (SSG) to manage the development program.
To accomplish any task within an organization, someone or some group needs to be in charge, so a senior executive should be board appointed to ensure software security is recognized as an integral part of the business and is equal to other business drivers. Without this level of political backing, others are unlikely to properly factor software security into their activities. The executive should truly believe in the need for software security and proactively champion security awareness across the company so it becomes rooted in its culture.
The executive needs to be accountable for software security, so he or she must possess the authority and resources to get the job done. Their actual title depends on an organization’s internal structure and whether they fall within the office of the CIO, CTO, general counsel, compliance and risk management or are completely independent.
Beyond the senior executive, the second most important role in a software security initiative is that of the SSG. The best SSG members are software security experts who can relate to both developers and IT and network security teams. If these roles prove difficult to fill, consider training some developers in security. This is generally easier than trying to teach network security staff how to write software. As software security is not just about finding bugs in reams of code, balance members with coding experience with those who have architecture design experience.
Communication and teaching skills are also important skills for SSG members as they need to mentor and interface with various groups with different objectives and priorities. Staff in operations, network administration, and business owners must all be supported by the SSG as well as incident response groups and marketing or PR as software security does not end when software is sold or installed. Everyone must understand and appreciate how early investment in security affects the degree to which users will trust their products. Specifically it's important that those in marketing and PR fully appreciate the importance of security in differentiating a product from its competitors. They need to be able to answer questions from potential buyers and the press about a product's security features knowledgeably and make security a value proposition.
Businesses today depend on reliable, secure software. The study found leading firms who take secure software development seriously employ on average two full-time software security specialists for every 100 developers, but do not become overly concerned about specific ratios. There is no perfect approach to software security. Each organization should formulate an organic approach that factors in a specific account workload and software lifecycle.
This was first published in January 2012