SAMM - Education & Guidance - 3

Objective: Mandate comprehensive security training and certify personnel for baseline knowledge

Results

 * Efficient remediation of vulnerabilities in both ongoing and legacy code bases
 * Quickly understand and mitigate against new attacks and threats
 * Judge security-savvy of staff and measure against a common standard
 * Establish fair incentives toward security awareness

Add’l Success Metrics

 * >80% staff certified within past 1 year

Add’l Costs

 * Certification examination build-out or license
 * Ongoing maintenance and change control for application security support portal
 * Human-resources and overhead cost for implementing employee certification

Add’l Personnel

 * Developers (1 day/yr)
 * Architects (1 day/yr)
 * Managers (1 day/yr)
 * Business Owners (1 day/yr)
 * QA Testers (1 day/yr)
 * Security Auditors (1 day/yr)

Related Levels

 * Policy & Compliance - 2 & 3

A. Create formal application security support portal
Building upon written resources on topics relevant to application security, create and advertise a centralized repository (usually an internal web site). The guidelines themselves can be created in any way that makes sense for the organization, but an approval board and straightforward change control processes must be established.

Beyond static content in the form of best-practices lists, tool-specific guides, FAQs, and other articles, the support portal should feature interactive components such as mailing lists, web-based forums, or wikis to allow internal resources to cross-communicate security relevant topics and have the information cataloged for future reference.

The content should be cataloged and easily searchable based upon several common factors such as platform, programming language, pertinence to specific third party libraries or frameworks, life-cycle stage, etc. Project teams creating software should align themselves early in product development to the specific guidelines that they will follow. In product assessments, the list of applicable guidelines and product-related discussions should be used as audit criteria.

B. Establish role-based examination/certification
Either per role or per training class/module, create and administer aptitude exams that test people for comprehension and utilization of security knowledge. Typically, exams should be created based on the role-based curricula and target a minimum passing score around 75% correct. While staff should be required to take applicable training or refresher courses annually, certification exams should be required biannually at a minimum.

Based upon pass/fail criteria or exceptional performance, staff should be ranked into tiers such that other security-related activities could require individuals of a particular certification level to sign-off before the activity is complete, e.g. an uncertified developer cannot pass a design into implementation without explicit approval from a certified architect. This provides granular visibility on an per-project basis for tracking security decisions with individual accountability. Overall, this provides a foundation for rewarding or penalizing staff for making good business decisions regarding application security.