As a development organization, your company initiated a security champion program based on the Software Assurance Maturity Model (SAMM) to increase the effectiveness and efficiency of application security and compliance and to strengthen the relationship between various teams and Information Security. Which of the following is the best arrange for the security champion? (Wentz QOTD)
A. Establish a security champion position reporting to CEO directly
B. Establish a security champion position reporting to CISO directly
C. Assign a developer in each project to serve as the security champion role
D. Assign a functional manager with position power to serve as the security champion role
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Assign a developer in each project to serve as the security champion role.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
The Software Assurance Maturity Model.(SAMM) is an OWASP project, a prescriptive model and an open framework which is simple to use, fully defined, and measurable. The SAMM 2.0 comprises five business functions (governance, design, implementation, verification, and operations) that largely follow a logical sequence or map to a generic software development life cycle. Each business function has three security practices connected through two streams to organize them into a hierarchy for performance measurement. In other words, activities of each security practice belongs to either Stream A or Stream B. The maturity levels of security practices, as the software assurance objectives, can be divided into three levels.
[Stream B] Identify security champions of Education & Guidance, Maturity Level 1
“Identify security champions” is a Stream B activity of the security practice, Education & Guidance, at maturity level 1. It brings the benefit of basic embedding of security in the development organization. The following is an excerpt from the OWASP SAMM v2.0 – Core Model Document:
- Implement a program where each software development team has a member considered a “Security Champion” who is the liaison between Information Security and developers.
- Depending on the size and structure of the team the “Security Champion” may be a software developer, tester, or a product manager.
- The “Security Champion” has a set number of hours per week for Information Security related activities. They participate in periodic briefings to increase awareness and expertise in different security disciplines.
- “Security Champions” have additional training to help develop these roles as Software Security subject- matter experts. You may need to customize the way you create and support “Security Champions” for cultural reasons.
- The goals of the position are to increase effectiveness and efficiency of application security and compliance and to strengthen the relationship between various teams and Information Security. To achieve these objectives, “Security Champions” assist with researching, verifying, and prioritizing security and compliance related software defects. They are involved in all Risk Assessments, Threat Assessments, and Architectural Reviews to help identify opportunities to remediate security defects by making the architecture of the application more resilient and reducing the attack threat surface.
- In addition to assisting Information Security, “Security Champions” provide periodic reviews of all security related issues for the project team so everyone is aware of the problems and any current and future remediation efforts. These reviews are leveraged to help brainstorm solutions to more complex problems by engaging the entire development team.
Assessment Question(s)
Have you identified a Security Champion for each development team?
– No
– Yes, for some teams
– Yes, for at least half of the teams
– Yes, for most or all of the teams
Quality Criteria
– Security Champions receive appropriate training
– Application Security and Development teams receive periodic briefings from Security Champions on the overall status of security initiatives and fixes
– The Security Champion reviews the results of external testing before adding to the application backlog
[Stream A] Customize security training, Education & Guidance @ Maturity Level 2
Security Champions train on security topics from various phases of the SDLC. They receive the same training as developers and testers, but also understand threat modeling and secure design, as well as security tools and technologies that can be integrated into the build environment.
[Stream B] Establish a security community, Education & Guidance @ Maturity Level 3
Form communities around roles and responsibilities and enable developers and engineers from different teams and business units to communicate freely and benefit from each other’s expertise. Encourage participation, set up a program to promote those who help the most people as thought leaders, and have management recognize them. In addition to improving application security, this platform may help identify future members of the Secure Software Center of Excellence, or ‘Security Champions’ based on their expertise and willingness to help others.
[Stream B] Standardize and scale threat modeling, Threat Assessment @ Maturity Level 2
Train your architects, security champions, and other stakeholders on how to do practical threat modeling. Threat modeling requires understanding, clear playbooks and templates, organization-specific examples, and experience, which is hard to automate.
[Stream B] Establish a penetration testing process, Security Testing @ Maturity Level 2
Penetration testing cases include both application-specific tests to check soundness of business logic, and common vulnerability tests to check the design and implementation. Once specified, security-savvy quality assurance or development staff can execute security test cases. The central software security group monitors first-time execution of security test cases for a project team to assist and coach the team security champions.
[Stream B] Establish continuous, scalable security verification, Security Testing @ Maturity Level 3
Security champions and the central secure software group continuously review results from automated and manual security tests during development, including these results as part of the security awareness trainings for the development teams. Integrate lessons learned in overall playbooks to improve security testing as part of the organization development. If there are unaddressed findings that remain as accepted risks for the release, stakeholders and development managers should work together to establish a concrete timeframe for addressing them.
Reference
作為開發型組織,貴公司根據軟體保證成熟度模型(SAMM)啟動了安全冠軍計畫(Security Champion Program),以提高應用程序安全性的效能與效率以及符合性,並強化各個團隊之間的關係與資訊安全。 以下哪個是安全冠軍的最佳安排? (Wentz QOTD)
A. 建立一個直接向 CEO 報告的安全冠軍職位
B. 建立一個直接向 CISO 報告的安全冠軍職位
C. 在各專案指派開發人員擔任安全冠軍的角色
D. 指派一名具有職位權力的職能經理擔任安全冠軍角色
Pingback: 軟體保證成熟度模型(SAMM)-安全冠軍(Security Champion) – Choson資安大小事