By Cynthia Freeney, CSSLP currently holds the dual role of project manager and security officer. Cynthia’s current focus in the security realm is ensuring organizational policies, procedures, processes and security controls are in compliance and will withstand an upcoming SOC 2 Type II audit.

There is a consensus among many industry thought-leaders, leaders within small, mid, and major-sized organizations, security researchers, and others regarding the importance of delivering secure solutions and products. An organization’s ability to consistently and effectively provide secure products and solutions is predicated on its level of risk awareness, commitment to adopting and auditing processes that promote secure software development and allocated budget and resources. A secure software development lifecycle is essential to developing secure products and solutions. Organizations must establish security requirements early and monitor implementation milestones and effectiveness throughout the software development lifecycle (SDLC). However, some organizations give varying reasons for the slow adoption of a secure software development lifecycle, including budget constraints, resource availability, and the absence of the needed skillset. Nonetheless, low-cost actions can facilitate the adoption of a secure software development lifecycle. Therefore, enterprising individuals can ignite their organization’s adoption of a secure software development lifecycle by fully embodying a secure software champion mindset, behavior modification, seeking influential allies, and identifying lightweight processes and tools.  

Individuals who either have secure software development knowledge, are curious about developing secure products and solutions, or are investing time learning about the secure software development lifecycle should consider themselves secure software champions. Especially absent any organizational planning or progress towards implementing processes to support a secure software development lifecycle. Secure software development champions should promote awareness without being accusatory or pessimistic. They should cultivate duality in communications, having the ability to express themselves using technical and non-technical jargon based on their audience. Secure software champions must be diligent about seeking opportunities to promote awareness through “approved lunch and learns,” after-work and offsite outings, and events that serve to educate and promote awareness. Secure software champions should have allies inside and outside their organization and know that creditability is key to securing allies. Therefore it is imperative to engage in continuous learning and admit when you don’t know the answers to inquiries or queries.

Secure software champions in roles that require direct touchpoints with one or more software development phases should proactively adopt behaviors that align with a secure software development lifecycle. However, adopted behaviors should not impact existing allocated budgets, schedules, or resource allocations until a commitment or sign-off is received from the leadership team.

Adopted behaviors can vary based on organizational role. Software architects should ensure the implementation of secure design principles to ensure application security,  perhaps with an initial focus on the fail-safe secure design principle. The benefits of this secure design principle are easier to communicate to non-technical stakeholders. Sofware developers should focus on developing secure code through adherence to one of the many secure software coding standards. Software testers should ensure that the default configuration of the product or solution meets best practice standards and, iteratively, over time, augment existing test suites to include security-related tests. The behaviors mentioned above modifications are initial steps that provide incremental value without requiring significant levels of effort. However, secure software champions advocacy and behavior changes alone will not lead to the formal adoption of a secure software development lifecycle. Securing influential allies is critical when seeking an organizational change towards adopting a formal secure software development lifecycle. 

When engaging influential allies regarding adopting a secure software development lifecycle, preparation and patience are key factors. Secure software champions should be armed with facts regarding the benefits to the business regarding adopting a secure software development lifecycle, adoption level of effort, potential next steps, and references to easy-to-read case studies describing similar-sized organizations’ journey towards a secure software development lifecycle. Pressure tactics should be avoided, and when there is more than one internal influential ally, a meeting with all should be scheduled. Secure software champions should understand their organization’s risk posture before the meeting. After this meeting, there should be a level-set understanding of the next steps, some initial and achievable milestones, and a narrow list of identified tools and lightweight processes. Based on an organization’s risk posture, some organizations roll out new processes and tools in a whole-sale fashion, whereas others introduce those mentioned above incrementally.             

Psychological acceptance is a significant factor that must be considered when selecting processes and tools. Therefore, choosing straightforward, lightweight processes and tools are essential to adopting a secure software development lifecycle. Secure software champions should join (ISC)² to access training and online communities, which would benefit this journey. Secure software champions can also review other information sources, including OWASP-10, SANS, Microsoft, etc. Once a decision has been made regarding the appropriate processes and toolset, leadership must publicly acknowledge their support and expectations with periodic assessment of progress. This public display of support will indicate to affected members of the organization and stakeholders executive management’s commitment to adopting a secure software development lifecycle with recognition of perceived benefit to the organization.