SEC11-BP08 Build a program that embeds security ownership in workload teams - Security Pillar
Implementation guidanceResources

SEC11-BP08 Build a program that embeds security ownership in workload teams

Build a program or mechanism that empowers builder teams to make security decisions about the software that they create. Your security team still needs to validate these decisions during a review, but embedding security ownership in builder teams allows for faster, more secure workloads to be built. This mechanism also promotes a culture of ownership that positively impacts the operation of the systems you build.

Desired outcome: To embed security ownership and decision making in builder teams, you can either train builders on how to think about security or you can augment their training with security people embedded or associated with the builder teams. Either approach is valid and allows the team to make higher quality security decisions earlier in the development cycle. This ownership model is predicated on training for application security. Starting with the threat model for the particular workload helps focus the design thinking on the appropriate context. Another benefit of having a community of security focused builders, or a group of security engineers working with builder teams, is that you can more deeply understand how software is written. This understanding helps you determine the next areas for improvement in your automation capability.

Common anti-patterns:

  • Leaving all security design decisions to a security team.

  • Not addressing security requirements early enough in the development process.

  • Not obtaining feedback from builders and security people on the operation of the program.

Benefits of establishing this best practice:

  • Reduced time to complete security reviews.

  • Reduction in security issues that are only detected at the security review stage.

  • Improvement in the overall quality of the software being written.

  • Opportunity to identify and understand systemic issues or areas of high value improvement.

  • Reduction in the amount of rework required due to security review findings.

  • Improvement in the perception of the security function.

Level of risk exposed if this best practice is not established: Low

Implementation guidance

Start with the guidance in SEC11-BP01 Train for application security. Then identify the operational model for the program that you think might work best for your organization. The two main patterns are to train builders or to embed security people in builder teams. After you have decided on the initial approach, you should pilot with a single or small group of workload teams to prove the model works for your organization. Leadership support from the builder and security parts of the organization helps with the delivery and success of the program. As you build this program, it’s important to choose metrics that can be used to show the value of the program. Learning from how AWS has approached this problem is a good learning experience. This best practice is very much focused on organizational change and culture. The tools that you use should support the collaboration between the builder and security communities.

Implementation steps

  • Start by training your builders for application security.

  • Create a community and an onboarding program to educate builders.

  • Pick a name for the program. Guardians, Champions, or Advocates are commonly used.

  • Identify the model to use: train builders, embed security engineers, or have affinity security roles.

  • Identify project sponsors from security, builders, and potentially other relevant groups.

  • Track metrics for the number of people involved in the program, the time taken for reviews, and the feedback from builders and security people. Use these metrics to make improvements.

Resources

Related best practices:

Related documents:

Related videos: