By Stacy Simpson, SAFECode

At SAFECode, we often talk about the need to look beyond the technical requirements of implementing a secure software development lifecycle and think more expansively about creating a holistic software security program that encompasses both strong technical practices and healthy business processes. Some of the non-technical aspects of managing a mature secure development program include stakeholder engagement and communication, deployment planning, program measurement, and the development of a security-supportive culture.

Today, we are excited to build upon our previous work and share with you a new report that takes an in-depth look at how to build and maintain a security-supportive culture. The paper, The Six Pillars of DevSecOps: Collective Responsibility – Key Considerations for Developing a Security-Supportive Culture was written in collaboration with the Cloud Security Alliance (CSA) as part of a larger project around identifying best practices to support the secure implementation of DevOps, commonly referred to as DevSecOps. While the paper was written with DevSecOps in mind, we believe that many of its recommendations are applicable across diverse development environments.

While much has been written on the need to nurture a security-supportive culture, it remains one of the most consistently cited challenges of DevSecOps execution. Culture is something most often described as a critical but intangible element of an organization. Unfortunately, this may lead to a rather ad hoc approach to fostering cultural change. In software security, this often takes the form of the occasional hackathon or bug bash, or perhaps an annual training session on the value of software security practices. This is not to say these activities are not valuable, but rather that their impact is limited if they are not presented in the context of a team’s objective, not reinforced, or do not target the right audience. 

Rather, we believe that a security culture is the result of deliberate action aimed at instituting sustainable organizational change. This is not to say that there is one right way to foster a security-supportive culture. In truth, most organizations use a variety of methods to create the environment they need for their software security program to succeed. However, the most successful organizations view security culture development as a comprehensive business program with a clear vision, strategy, and set of tactics with measurable business value.

The paper released today focuses on describing the common practices shared by organizations that have taken a well-structured approach to security culture development, breaking these practices down across three key areas:

  • Executive Support and Engagement
  • Program Design and Implementation
  • Program Sustainment and Measurement

Our hope is that this work can help others think more critically about their own security culture and consider whether some of the practices shared in the paper can help them to continue to build a sense of collective security responsibility across their organizations. We hope to encourage others to view a security-supportive culture not as a happy accident or unreachable ideal, but rather as the result of deliberate action taken over time.

We thank CSA for its leadership in bringing this paper to publication and look forward to continuing our ongoing collaboration around the practical implementation of DevSecOps. If you are a member of SAFECode or CSA and interested in participating in our working group, please let us know.