We are coming up on fall here in the States, and for most of us, that means two big types of kickoffs are happening: new business initiatives and football. Budgets tend to land around the same time as football season, so if you want to enjoy your Sunday kickoffs, follow this list of four impactful activities to make your software integrity program kickoff a success.
1. Build your team
Everyone on the field has a role. Pick your captains, coaches, and quarterbacks wisely.
- Give the ball to your quarterback. Assign a software integrity program owner who can make the important decisions and run all the moving parts associated with a large program.
- Recruit security captains. Developers who show an interest in and affinity for software security can be recruited as security champions to lead the security effort within their teams.
- Assign a training coach. The best way to steer an organization toward a culture of security is through training. Having a training manager track and assign training courses will ensure that everyone is capable of building secure and quality software.
2. Have a playbook
Set expectations and provide a clear path to the goal. Clearly define what software integrity is for every level of the organization.
- Set the vision for your team. Every organization should have a set of goals and principles, and a security initiative is no different. Provide a clear vision in the security policy for what software integrity will look like within your organization.
- Paint the end zones. Work with the software security group (SSG) to develop application development standards that applications can be measured against. Enforce these standards through security gates, and prevent vulnerable software from being deployed to production.
- Provide runbooks and playbooks to your team. If the application development standards provide a set of requirements to meet, provide coding guidelines to developers as ways of meeting those goals.
- Deal with calls from the ref. No security organization is perfect, and vulnerabilities will be discovered at all phases of an application’s life cycle. Have a plan in place to track vulnerabilities as they are fixed, and set remediation schedules to ensure that vulnerabilities are fixed in a timely manner.
3. Have a training plan
Properly training developers often prevents vulnerabilities from popping up into source code. Provide awareness and skills training to get everyone preventing, detecting, and remediating vulnerabilities as software is being built and designed.
- Roll out computer-based training for wide coverage. Computer-based training is a great way to provide introductions to software security and software quality to all the developers within an organization. Provide computer-based training to get people talking about security.
- Give instructor-led training to key developers and security professionals. An instructor can give more in-depth training that can empower key developers within your organization to build security into their projects from the inside out.
4. Huddle up
Communication is key in football and in business. From in-game huddles and pre-play audibles to broadcast announcers and post-game interviews, communicate to different audiences the information they need to know.
- Secure senior leadership buy-in. When software integrity is a priority of the senior leadership, it becomes a priority for the entire organization. Communicate the overall goals of the software integrity program, discuss at a high level what the different parts are, and solicit feedback.
- Inform development managers of incoming requirements and resources. The development teams and managers will be responsible for executing the software integrity plan. Enable them to do so by clearly communicating why and how they will be building secure software.
- Don’t forget to include the guys with the budget. Software integrity isn’t free. There may be tool buys, process considerations, and schedule adjustments that come with rolling out and following a software integrity strategy.
- Let everybody know security is a priority. Use corporate web pages, mailing lists, newsletters, and meetings to let everyone know about the new security strategy.
Ready for game time?
Football and software aren’t all that different. Even the goals (see what I did there?) mirror each other: The defense blocks the opposing team from getting to the end zone. It’s bad news for your team if the opposition scores a touchdown. Therefore, your defensive strategy is critical. These four impactful elements will help you keep your firm’s software integrity game strong!
Ready for kickoff?