In order to integrate information security into every fiber of your web application development project, we suggest an implementation of our roadmap which is an expanded variant of the OWASP Software Assurance Maturity Model with specific industry best practices regarding application security and DevSecOps. Our roadmap provides high-level guidance that is not organized by priority. In practice, we will always focus on implementing the biggest contribution and effect in the least amount of time.
Our goal is to integrate security in your project and security needs to become everyone’s responsibility and not just the security department’s responsibility. To do that, we suggest developing specific security-focused individuals inside your project. This does not mean that employees will be assigned from development to security, but that we will develop their potential and skillset in order to be security-focused in their day-to-day activities. Ultimately this will directly contribute to their specific, original field of work. This also means that ideal candidates are those who are interested to become more security-focused in their craft, and not simply assigning arbitrarily that responsibility inside the organization. In order to achieve this, we will train your internal staff and in parallel operate as an external information application security support team and provide proof of concept implementations and expertise.
Integrating security is a complex system that requires very disjunct skillsets, and we suggest starting with three roles and three (or more if possible) candidates. The candidates can be recruited inside the current teams if specific members want to be more security-focused, or we can recruit horizontally or vertically from inside the organization. The roles can be filled by employing additional team members with specific skills. This is not mandatory.
The common goal is internal expertise development, in the following specific roles that will cover the areas of:
– Governance and architecture
– Application development
– DevOps and infrastructure