Securing software delays its release and makes it harder for organizations to realize the maximum business benefit of developing software.
This quick read book argues that the root cause of the delay lies deep-seated in strategic security risk policies and the traditional three lines of defense. The security risk policy mandates that all significant changes are security risk assessed and provide the “three lines of defense” to perform these assessments. Where the “three lines” are capable of performing these assessments, they cannot deal with the assessment workload generated by modern-day development methodologies.
As a solution, this quick read book proposes virtualizing the first line of defense (FLD). The virtual FLD semi-automates a software security risk assessment and integrates it into the development process, allowing development teams to assess their changes rather than waiting on the security risk team. Virtualization and its resulting automation capabilities enable the organization to effectively and efficiently manage the security risks inherent in software development.
This book interprets a host of industry-standard literature from COBIT, NIST and ISO, applying it to software development in a three-phased, step-by-step approach to building, measuring and improving a virtual FLD.
Format of the quick read book:
This book is a quick read-only because its detailed step-by-step approach does not provide lengthy explanations of the COBIT, NIST and ISO industry literature used to build the virtual FLD solution. Rather, it assumes an understanding of the literature and explains how it was interpreted, and every decision made while applying it to the development process. I chose this format to best enable the reader to identify those bits that apply to your environment, those that don’t, those you agree with, those you don’t and most importantly, areas of improvement.
