Software security efforts are rarely successful without buy-in from the project manager. In most organiza¬tions, security will not be a concern to individual project members if left to their own devices. Part of the reason is because the skills required to be effective at secure development do not overlap much with tradi¬tional development skills. Another reason is because most development is feature-driven, whereas — beyond basic integration of technologies such as SSL — security rarely shows up as a feature. The project manager generally has several key responsibilities in this space:
- First among them is promoting awareness. Usually all team members will need to have basic exposure to the application security strategy, and often several team members will need significant training, as few people have the necessary skills in their toolbox.
- Additionally, the project manager should promote awareness outside his team. The rest of the organization needs to understand the impact of application security on the business, such as schedule trade-offs and security risks that the team may not address.
- Another primary responsibility of the project manager is monitoring the health of the organization. Generally, this involves defining a set of basic business matrices and applying them on a regular basis.
Project managers are encouraged to review sections A through F of the CLASP Resources.