Steps to Setting Up a Software Security Group

What does a software security group do?

The SSG is ultimately responsible for finding and fixing software security defects in software you develop, license, or manage. It also helps ensure the vendors with whom you share data have adequate software security initiatives of their own.

An SSG is unique because it sits at the crossroads of security and development functions and looks for interaction points between the two groups.

It manages the process of introducing software security into the software development life cycle and, on the flip side, integrates the development perspective and process into security policies.

The SSG serves as a “center of excellence” for all software security needs, such as policy, standards, tools, experts, training, and so on, so that people have a place to get answers and improve their skills.

To increase awareness and knowledge of software security, the SSG reports on software security metrics, communicates results to executives and the organization at large, and makes the business case for needed resources.

Step 1: Gain executive support

You won’t make much progress on your journey without the backing of your executive team. You’ll need resources to build your SSG, as well as ongoing support to reinforce your policies and decisions within the organization.

Security awareness among boards of directors and executives is at an all-time high, but that doesn’t mean that your leadership team understands the nuances of putting together a software security initiative. Most execs don’t have a security background and won’t appreciate technical jargon.

To maintain management support for your SSG, you need to share your successes—in terms your audience understands and values.

• Explain how a software security initiative developed and managed by an SSG supports broader business goals, such as cost savings, competitive advantage, and customer satisfaction.
• In particular, focus on how the unique approach of an SSG can be a model for cross-functional cooperation to achieve the goals of both the security team and the development organization. By moving security “left” in the software development life cycle, you should be able to identify issues early and launch secure software products more quickly.
• Set up a regular reporting cadence so you can demonstrate how investment in an SSG yields continued progress.

Step 2: Pick a team lead

An experienced team lead knows the best spots along the journey and can spot the dangers.

Depending on the organization, the SSG could sit under a variety of executives. For example, it could be under the CIO or CSO—as a key part of security strategy, along with network, endpoint, and physical security. It could be under the CTO as a key part of technology or under the CRO as a key part of risk management. On the other hand, it could be embedded as a senior position within a product development organization.

In any case, the team lead needs to be someone with the vision, management skills, authority, and resources to lead the organization on the journey toward software security maturity.

Step 3: Define an organizational structure

The organizational structure of an SSG should encourage maximum communication and teamwork between the security and development functions. It’s essential to clarify roles and responsibilities, decision-making power, and budget authority. The more clearly you outline these points, the more smoothly your SSG will run.

There is no “right way” to organize your team. Your structure should fit the culture of your organization. Among BSIMM organizations, there are five different models for structuring an SSG.

1. Service Model. This SSG offers software security activities such as pen testing, SAST, DAST, and so on “as a service” from a central hub. All work must go through the central group and follow standard processes. This model requires the SSG to sign off before products are released.

Pro: Ensures consistent security protections.

Con: Product groups may need to wait to book resources, depending on demand. Developers may feel they have less responsibility for the security of their products.

2. Policy Model. A central team sets standard guidelines, but doesn’t do actual execution. Policies include risk ranking and classification, creating knowledge bases and security frameworks, managing vendor compliance, and employee training.

Pro: Fewer people considered “overhead” in a central team.

Con: May be difficult to enforce policies.

3. Hybrid Model. This SSG offers both services and policy as explained above.

Pro: A full-service SSG makes it easier to measure which policies are carried out and their level of impact.

Con: Requires a full range of strategy and tactical skills.

4. Business Unit Model. This model distributes SSG members to individual business units to serve their specific needs, report within a business unit, and adapt policies and processes as needed.

Pro: If it works well, more people within an organization are well-versed in security.

Con: If there is poor coordination or communication, success can be difficult to maintain and measure.

5. Management Model. Product leaders manage security as a business process, along with product design, quality assurance, and so on.

Pro: Security is truly embedded in the culture of the organization.

Con: Business leaders must continue to prioritize security as they face pressure to release products quickly.

Step 5: Equip them with the right skills

Your chances of prospering in the wilderness are greatly improved when you equip your SSG with the necessary skills. The SSG must collectively have a broad and advanced understanding of software security activities that prepare you to deal with whatever hazards you encounter.

Look for opportunities to refuel and refresh your team’s skills whenever possible, with training and experienced experts to guide the way. SSG members may rely on external partners for execution of security tests or other activities, but it is important that they have the knowledge to manage those partners effectively.

Soft skills are essential to create a resilient group that can work together toward a common goal. SSG members must be

• Communicators who can work with people in different roles, executives, vendors, and partners to evangelize software security
• Collaborators who can build bridges across departments and balance competing priorities and goals
• Analysts who can use their knowledge and creativity to prioritize and recommend actions
• Teachers who can increase the skill levels of others in the organization

Step 6: Add satellite support

In addition to the core team members, the SSG relies on support from other security stakeholders within the organization. This support allows the SSG to scale its reach and influence to all those stakeholders—application owners, development teams, QA groups, test teams, threat/intelligence teams, and so on.

We call this team a “satellite.” It creates a social network that drives timely, grassroots efforts to accelerate the adoption of software security best practices. Having a strong satellite is a sign of a mature software security initiative.

How do you find people for your satellite?

• Identify people who stand out during introductory training courses.
• Ask for volunteers. Cybersecurity is a hot topic and a good career path many want to pursue.
• In a more top-down approach, you can assign qualified people within development or product groups to ensure coverage.