Unformatted text preview: uestions accordingly for efficiency.
While coaches can be used at any point in the software life-cycle, appropriate times to use
the coaches include during initial product conception, before completion of functional or detailed design specification(s), when issues arise during development, test planning, and when
operational security incidents occur.
Over time, the internal network of coaching resources can be used as points-of-contact for
communicating security-relevant information throughout the organization as well as being
local resources that have greater familiarity with the ongoing project teams than a purely
centralized security team might. Education & Guidance EG 3 Mandate comprehensive security training and certify personnel for baseline knowledge A. Create formal application security support portal
Building upon written resources on topics relevant to application security, create and advertise a centralized repository (usually an internal web site). The guidelines themselves
can be created in any way that makes sense for the organization, but an approval board and
straightforward change control processes must be established.
Beyond static content in the form of best-practices lists, tool-specific guides, FAQs, and other
articles, the support portal should feature interactive components such as mailing lists, webbased forums, or wikis to allow internal resources to cross-communicate security relevant
topics and have the information cataloged for future reference.
The content should be cataloged and easily searchable based upon several common factors such as platform, programming language, pertinence to specific third party libraries or
frameworks, life-cycle stage, etc. Project teams creating software should align themselves
early in product development to the specific guidelines that they will follow. In product assessments, the list of applicable guidelines and product-related discussions should be used
as audit criteria. B. Establish role-based examination/certification
Either per role or per training class/module, create and administer aptitude exams that test
people for comprehension and utilization of security knowledge. Typically, exams should be
created based on the role-based curricula and target a minimum passing score around 75%
correct. While staff should be required to take applicable training or refresher courses annually, certification exams should be required biannually at a minimum.
Based upon pass/fail criteria or exceptional performance, staff should be ranked into tiers
such that other security-related activities could require individuals of a particular certification level to sign-off before the activity is complete, e.g. an uncertified developer cannot pass
a design into implementation without explicit approval from a certified architect. This provides granular visibility on an per-project basis for tracking security decisions with individual
accountability. Overall, this provides a foundation for rewarding or penalizing staff for mak...
View Full Document
- Spring '14