5 models for enterprise software security management teams
Transcript of 5 models for enterprise software security management teams
5 Models For Enterprise Software Security Management Teams
BSIMM members share their strategies
5 Models For Enterprise Software Security Management Teams
BSIMM members share their strategies
If you create, purchase or deploy software, someone in your organization must be
responsible for making sure it is secure.
Won’t development and security teams handle that?
Not if they
aren’t aligned along
the same goals.
Not if they
aren’t aligned along
the same goals.
A Software Security Group (SSG) creates strategy and structure for
security practices that protect your organization from external threats.
What is the right way for an enterprise to set up an SSG?What is the right way for an enterprise to set up an SSG?
We surveyed 23 enterprises in the Building Software Security In
Maturity Model (BSIMM) community, an industry group that shares best practices on software
security.
We Found 5 Different Models for Enterprise Software Security Groups
1. Services
2. Policy
3. Business Unit
4. Hybrid
5. Management
Each group had a central team and satellite members throughout the organization.
(Satellites orbit around the SSG doing good software security work.)
SSG Type #1: Services
Offers pen testing, code review, architectural risk analysis, etc. from central hub.
•Avg. number of developers – 4828•Avg. number of people in SSG – 7.3 •Avg. satellite size – 7.1
SSG Type #1: Services
Offers pen testing, code review, architectural risk analysis, etc. from central hub.
•Avg. number of developers – 4828•Avg. number of people in SSG – 7.3 •Avg. satellite size – 7.1
SSG Type #2: Policy
Sets guidelines for testing and code review, but does little execution and relies on strong satellites for enforcement.
•Avg. number of developers – 8630•Avg. number of people in SSG – 10.2 •Avg. satellite size – 16
SSG Type #2: Policy
Sets guidelines for testing and code review, but does little execution and relies on strong satellites for enforcement.
•Avg. number of developers – 8630•Avg. number of people in SSG – 10.2 •Avg. satellite size – 16
SSG Type #3: Business Unit
Tailors their approach to help diverse business units, however each group wants to work. No central head can make it difficult to launch and manage.
•Avg. number of developers –1650•Avg. number of people in SSG – 4.5 •Avg. satellite size – 27
SSG Type #3: Business Unit
Tailors their approach to help diverse business units, however each group wants to work. No central head can make it difficult to launch and manage.
•Avg. number of developers –1650•Avg. number of people in SSG – 4.5 •Avg. satellite size – 27
SSG Type #4: Hybrid
Combination of Services and Policy structures. Can be conflicted if resources are insufficient to execute policies and budgets can be unclear.
•Avg. number of developers –2300•Avg. number of people in SSG – 16.3 •Avg. satellite size – 15.5
SSG Type #4: Hybrid
Combination of Services and Policy structures. Can be conflicted if resources are insufficient to execute policies and budgets can be unclear.
•Avg. number of developers –2300•Avg. number of people in SSG – 16.3 •Avg. satellite size – 15.5
SSG Type #5: Management
Model found in companies where security is embedded in culture as competitive advantage. Satellites keep teams aligned.
•Avg. number of developers – 10,833•Avg. number of people in SSG – 18.7 •Avg. satellite size – 174.7
SSG Type #5: Management
Model found in companies where security is embedded in culture as competitive advantage. Satellites keep teams aligned.
•Avg. number of developers – 10,833•Avg. number of people in SSG – 18.7 •Avg. satellite size – 174.7