Software Engineering Institute

As the pace of software development continues to accelerate with DevSecOps, ensuring compliance, regulation, and security are baked into the early phases of your secure development life cycle is a critical priority. However, incorporating these elements into the software development process can be challenging, especially when they are often treated as afterthoughts. 

Most organizations start this journey at the Testing phase of the software development lifecycle (SDLC) - Penetration Testing, Static Application Security Testing, OSS Vulnerability Testing et cetera. While this helps, the time and effort to go back and rework software, after it’s been developed, can be costly and slow down your time to market. 

Teams that build a culture around security across multiple phases of the SDLC more effectively mitigate risk. But there are many challenges, including finding the expertise to guide teams, having the authority to change the culture across the organization, securing the time and resources to implement that change, and making sure it's integrated in a way that doesn't burden teams to the point where the core value delivered in software is reduced or slowed. 

Traditional approaches to Security by Design (e.g., Threat Modeling, Training Programs, and Security and Compliance Policies) can be heavyweight and difficult to get buy-in from Development teams. Taking a new approach to secure design that is lightweight, developer-friendly, and integrated into existing SDLC activities can make this task easier. By defining a path that helps foster a culture of security, organizations can start slowly and gradually increase the speed with which secure software is developed while improving the overall posture of security with both developers and project leadership.

In this discussion, we explore some new approaches to Threat Modeling, and Developer Training that can ease teams into the integration of security and compliance early in the DevSecOps process. We discuss how doing so can help you identify and address potential security vulnerabilities early in the development lifecycle, reducing the likelihood of costly delays and rework.  We will also explore the concept of building a security champions program and the benefits it can bring to your organization. 

Security champions are individuals within your organization who are passionate about security and are trained to provide guidance and execution support to their peers. By empowering security champions, you can create a culture of security where everyone takes responsibility for ensuring that software is developed securely.