Software security program checklist: Kick off your program with a bang

If you want to enjoy your Sunday kickoffs, our software security program checklist of five activities will help you kick off your program successfully.

We’re coming up on fall here in the States, and for most of us, that means two big types of kickoffs: new business initiatives and football. Budgets tend to land around the same time as football season, so if you want to enjoy your Sunday kickoffs, follow this checklist of five impactful activities to make your software security program kickoff a success.

Software Security Program Checklist

1. Build your team

Everyone on the field has a role. Pick your captains, coaches, and quarterbacks wisely.

• Give the ball to your quarterback. Assign a software security program owner who can make the important decisions and run all the moving parts associated with a large program.
• Recruit security captains. Developers who show an interest in and affinity for software security can be recruited as Security Champions to lead the security effort within their teams.
• Assign a training coach. The best way to steer an organization toward a culture of security is through training. Having a training manager track and assign training courses will ensure that everyone is capable of building secure, high-quality software.

2. Have a playbook

Set expectations and provide a clear path to the goal. Clearly define software security for every level of the organization.

• Set the vision for your team. Every organization should have a set of goals and principles, and a software security initiative is no different. Provide a clear vision in the security policy for what software security will look like within your organization.
• Paint the end zones. Work with the software security group (SSG) to create application development standards that you can measure applications against. Enforce these standards through security gates to prevent vulnerable software from being deployed to production.
• Provide runbooks and playbooks to your team. If the application development standards provide a set of requirements to meet, provide coding guidelines to developers as ways of meeting those goals.
• Deal with calls from the ref. No security organization is perfect, and you’ll discover vulnerabilities at all phases of your applications’ life cycle. Set remediation schedules to ensure that your team can fix vulnerabilities in a timely manner. Have a plan in place to track vulnerabilities as they are fixed.

3. Have a training plan

Properly training developers often prevents vulnerabilities from popping up in source code. Provide awareness and skills training so everyone can prevent, detect, and remediate vulnerabilities as they’re designing and building software.

• Roll out e-learning for wide coverage. E-learning is a great way to provide introductions to software security and software quality to all the developers in an organization. Provide e-learning to get people talking about security.
• Give instructor-led training to key developers and security professionals. An instructor can give more in-depth training that can empower key developers in your organization to build security into their projects from the inside out.

4. Equip your team with the right gear

The game is always changing. Every year, new tools allow teams to better find holes in their defenses.

• Install an IDE plugin that provides just-in-time training. An IDE plugin that detects vulnerabilities in real time and offers remediation advice will help keep issues out of your source code.
• Add tooling to your pipeline. As teams move to more numerous but smaller releases, having tools that can reduce friction in the pipeline is key. Train your tools to weed out false positives to keep your release process lean.
• Get the entire picture from luxury box seats. Integrate outputs from your tools into a single pane-of-glass view to check the overall health of your organization at a glance.

5. Huddle up

Communication is key in football and in business. From in-game huddles and pre-play audibles to broadcast announcers and post-game interviews, communicate to different audiences the information they need to know.

• Secure senior leadership buy-in. When software security is a priority of senior leadership, it becomes a priority for the entire organization. Communicate the overall goals of the software security program, discuss at a high level what the different parts are, and solicit feedback.
• Inform development managers of incoming requirements and resources. The development teams and managers will be responsible for executing the software security plan. Enable them to do so by clearly communicating why and how they will be building secure software.
• Don’t forget to include the guys with the budget. Software security isn’t free. There may be tool buys, process considerations, and schedule adjustments that come with rolling out and following a software security strategy.
• Let everybody know security is a priority. Use corporate web pages, mailing lists, newsletters, and meetings to let everyone know about the new security strategy.

Game time

Football and software aren’t all that different. Even the goals (see what I did there?) mirror each other: The defense blocks the opposing team from getting to the end zone. It’s bad news for your team if the opposition scores a touchdown. Therefore, your defensive strategy is critical. This software security program checklist will help you keep your firm’s security game strong.