Identify a Champion
Someone needs to own the program. In a large organization there might be an entire team charged with application security and the champion is likely this team’s leader. In a smaller organization this might just be one of many hats that someone wears. The security champion role is described in more detail here: Champion
Staff Training
There are two aspects of training:
- Sensitivity Training – This training aims to instill a “we are under attack” mindset.
- Technical Training – This training is specific to the programming languages and other technology in use, and to individual roles.
Training is discussed in more detail here: Training
Tools
There are many commercial and open-source tools in the application security space. Proper use of these tools is fundamental to an effective security program. Your specific tool needs will depend on the nature of your product and on your “security maturity.” Classes of tools are described here: Tools and Services. Example tools and tool vendors are discussed here: Tools and here: Security Vendors
Leverage Security Experts
The Security Expert role is described in more detail here: Experts. One of the first things that the Security Program will need to do is gain access to internal security expertise by leveraging existing experts, developing expertise in available staff, or new hires.
Process & Policy
Process and Policy provide an overlay on the other elements of the program. For example how often do we train? When do we run each type of tool? When do we do penetration testing? Security Process and Policy is described in more detail here: Process and Policy
Implementation
Once the above pieces are in place we might hope that all of the right things just happen; but it seldom works that way in practice. The program will need to provide continued input and course correction to ensure the best outcome from the security investment.