Software Integrity Blog


Setting up a software security group in 5 steps

Traveling with a group will motivate you to pick up the pace. Working together, a team will share the load and make everyone’s pack lighter. The right team can make the difference between a painful slog and an incredible adventure.

Meet your hiking party—the Software Security Group (SSG).

Why have a software security group?

In many organizations, security leaders are balancing network, software, endpoint, even physical security as part of their responsibilities. They must balance budget and resources across all areas. Most don’t have specific expertise in the evolving requirements of software security—nor are they expected to.

An SSG—an assigned group with full time responsibility—identifies software security as a specific area of cyber risk, managed by a team who understands the unique challenges of acquiring, creating, deploying, and managing secure software. Having an SSG is a clear indicator of software security maturity, according to the Building Security In Maturity Model (BSIMM). All participants in the BSIMM organization that implement the most advanced risk management activities have an SSG.

A well-functioning SSG can lower the cost of a cyber attack. Companies that employ expert security staff can reduce cyber crime costs by an average of $1.5 million. Those that appoint a high-level security leader reduce costs by an average of $1.3 million.

What does an SSG do?

The SSG is ultimately responsible for finding and fixing software security defects in software you develop, license, or manage. It also helps ensure the vendors with whom you share data have adequate software security initiatives of their own.

An SSG is unique. It sits at the crossroads of security and development functions and looks for interaction points between the two groups. It manages the process of introducing software security into the software development life cycle, and on the flip side, integrates the development perspective and process into security policies.

The SSG also serves as a ‘center of excellence’ for all software security needs, such as policy, standards, tools, experts, training, and so on, so that people have a place to get answers and improve their skills.

To increase awareness and education of software security, the SSG reports on software security metrics, communicates results to executives and the organization at large, and makes the business case for needed resources.

This step-by-step guide will help you set up a well-prepared team to face the software security journey ahead.

More by this author