Upload File

5 models for enterprise software security management teams

  • Home
  • Software
  • 5 models for enterprise software security management teams
22
5 Models For Enterprise Software Security Management Teams BSIMM members share their strategies

Upload: cigital

Post on 12-Aug-2015

78 views

Category:

Software


0 download

Report

TRANSCRIPT

Page 1: 5 models for enterprise software security management teams

5 Models For Enterprise Software Security Management Teams

BSIMM members share their strategies

5 Models For Enterprise Software Security Management Teams

BSIMM members share their strategies

Page 2: 5 models for enterprise software security management teams

If you create, purchase or deploy software, someone in your organization must be

responsible for making sure it is secure.

Page 3: 5 models for enterprise software security management teams

Won’t development and security teams handle that?

Not if they

aren’t aligned along

the same goals.

Not if they

aren’t aligned along

the same goals.

Page 4: 5 models for enterprise software security management teams

With no management structure, who ends up in charge?

Nobody.Nobody.

Page 5: 5 models for enterprise software security management teams

What exactly is a Software Security Group?What exactly is a Software Security Group?

Page 6: 5 models for enterprise software security management teams

A Software Security Group (SSG) creates strategy and structure for

security practices that protect your organization from external threats.

Page 7: 5 models for enterprise software security management teams

What is the right way for an enterprise to set up an SSG?What is the right way for an enterprise to set up an SSG?

Page 8: 5 models for enterprise software security management teams

We surveyed 23 enterprises in the Building Software Security In

Maturity Model (BSIMM) community, an industry group that shares best practices on software

security.

Page 9: 5 models for enterprise software security management teams

We Found 5 Different Models for Enterprise Software Security Groups

1. Services

2. Policy

3. Business Unit

4. Hybrid

5. Management

Page 10: 5 models for enterprise software security management teams

Each group had a central team and satellite members throughout the organization.

(Satellites orbit around the SSG doing good software security work.)

Page 11: 5 models for enterprise software security management teams

SSG Type #1: Services

Offers pen testing, code review, architectural risk analysis, etc. from central hub.

•Avg. number of developers – 4828•Avg. number of people in SSG – 7.3 •Avg. satellite size – 7.1

SSG Type #1: Services

Offers pen testing, code review, architectural risk analysis, etc. from central hub.

•Avg. number of developers – 4828•Avg. number of people in SSG – 7.3 •Avg. satellite size – 7.1

Page 12: 5 models for enterprise software security management teams

Organizational Structure of Services SSG

Page 13: 5 models for enterprise software security management teams

SSG Type #2: Policy

Sets guidelines for testing and code review, but does little execution and relies on strong satellites for enforcement.

•Avg. number of developers – 8630•Avg. number of people in SSG – 10.2 •Avg. satellite size – 16

SSG Type #2: Policy

Sets guidelines for testing and code review, but does little execution and relies on strong satellites for enforcement.

•Avg. number of developers – 8630•Avg. number of people in SSG – 10.2 •Avg. satellite size – 16

Page 14: 5 models for enterprise software security management teams

Organizational Structure of Policy SSG

Page 15: 5 models for enterprise software security management teams

SSG Type #3: Business Unit

Tailors their approach to help diverse business units, however each group wants to work. No central head can make it difficult to launch and manage.

•Avg. number of developers –1650•Avg. number of people in SSG – 4.5 •Avg. satellite size – 27

SSG Type #3: Business Unit

Tailors their approach to help diverse business units, however each group wants to work. No central head can make it difficult to launch and manage.

•Avg. number of developers –1650•Avg. number of people in SSG – 4.5 •Avg. satellite size – 27

Page 16: 5 models for enterprise software security management teams

Organizational Structure of Business Unit SSG

Page 17: 5 models for enterprise software security management teams

SSG Type #4: Hybrid

Combination of Services and Policy structures. Can be conflicted if resources are insufficient to execute policies and budgets can be unclear.

•Avg. number of developers –2300•Avg. number of people in SSG – 16.3 •Avg. satellite size – 15.5

SSG Type #4: Hybrid

Combination of Services and Policy structures. Can be conflicted if resources are insufficient to execute policies and budgets can be unclear.

•Avg. number of developers –2300•Avg. number of people in SSG – 16.3 •Avg. satellite size – 15.5

Page 18: 5 models for enterprise software security management teams

Organizational Structure of Hybrid SSG

Page 19: 5 models for enterprise software security management teams

SSG Type #5: Management

Model found in companies where security is embedded in culture as competitive advantage. Satellites keep teams aligned.

•Avg. number of developers – 10,833•Avg. number of people in SSG – 18.7 •Avg. satellite size – 174.7

SSG Type #5: Management

Model found in companies where security is embedded in culture as competitive advantage. Satellites keep teams aligned.

•Avg. number of developers – 10,833•Avg. number of people in SSG – 18.7 •Avg. satellite size – 174.7

Page 20: 5 models for enterprise software security management teams

Organizational Structure of Management SSG

Page 21: 5 models for enterprise software security management teams

We also learned that SSG structures evolve over time

Page 22: 5 models for enterprise software security management teams

Ready to set up an SSG of your own?

Contact us about Cigital’s services for software security program design.

www.cigital.com www.cigital.com


Competency Models for Enterprise Security and … Models for Enterprise Security and Cybersecurity ... Data and Definitions 2 ... enterprise security and cybersecurity—a few definitions

Nisum white paper titled “Agile Models for Global Teams”

Skiing and boxing: coaching product and enterprise teams

Data mobility for the enterprise environment · Enterprise marketplace Processing Systems Enterprise IT Environment Enterprise Services Delivered to market by product teams TODAY’S

DOI: 10.1177/ToBeAssigned models in human-agent teams · 2017-07-27 · A Brief Overview of Shared Mental Models ... general concept of mental models was extended to teams based on

Cloud Control Upgrade Guide - Oracle › en › enterprise-manager › ... · Contributors: Enterprise Manager Cloud Control Development Teams, Quality Assurance Teams, Customer Support

Connecting Cisco CUCM with Teams Direct Routing Enterprise … · administrator's management station, located on the LAN Enterprise deployed with Microsoft Teams Phone System Direct

Sports teams are good models for workplace teams

Enterprise Architecture Models

Summary of Enterprise Computing Models

Enterprise Day 2015 - beyond software teams (Atlassian)

Organizational Models for Computer Security Incident Response Teams (CSIRTs)

Executive Teams: An Analysis of Popular Models with a …images.transcontinentalmedia.com/LAF/lacom/et_models_odj.pdf · Executive Teams: An Analysis of Popular Models with a Perspective

Restarting the Enterprise (or why innovation teams suck)

Sustainable Enterprise Models Innovation

CAS2k16 - Teams Evolution Models

Infographics : Enterprise Information Security Teams

Overview of Sales Navigator for Enterprise Sales Teams

Groups of models Intra-Enterprise Planning Enterprise Planning itself Single Facility Location Models Multiple Facility Location Models

Transforming Enterprise Teams to DevOps Workflows

InnerSourcing - Worldwide enterprise development teams collaboration

login.draup.com · Enterprise sales teams can be highly turbulent, often relying on "sales ninjas" for sales. Enterprise sales teams are like the "wild west" - highly turbulent and

Agile Models for Global Teams - Agile Alliance · Agile Models for Global Teams ... Agile, a software development methodology ... likely bring participating companies significant

Models for forming teams

Creating Strategic Models with Enterprise · PDF fileEnterprise Architect Creating Strategic Models with Enterprise Architect ... Creating Strategic Models with Enterprise ... Decision

Enterprise 2.0 Adoption Models

Generating Enterprise Applications from Models

Collaborative Design for Enterprise Teams

Exoprise Teams Monitoring...CloudReady ® Microsoft Teams Monitoring Enterprise Use Cases Proactively Monitor Microsoft Teams Optimize Change Management Troubleshoot Issues Everywhere

"Transforming Enterprise Teams to DevOps Workflows" Mandi Walls

TAPS High Performance Enterprise Family Teams … · High Performance Enterprise Family Teams ... based reward system, ... you would perform a management talent assessment and then

Introduction to Enterprise Systems, Enterprise Computer Models and SAP / R3

Developing Enterprise Teams and Talent (Karen Pascoe at Enterprise UX 2016)

Various Learning Models and Their Applications for Engineering Teams

Jason Moore - Interaction design in enterprise teams