5 Security belongs to ever yone

This chapter covers

Expanding application security through various methods
Building a culture of security that includes education
Exploring the maturity models that can be used in an application security program
Explaining decentralized AppSec in software development

Stop me if you heard this before, but security is everyone’s problem. We’ve all heard this many times, but what does it really mean? In my experience, the ability to scale an application security team to meet the need of a large organization is difficult, if not impossible. Many of the organizations that I have worked with have had hundreds or even thousands of developers. In these organizations, even what I would consider a large application security team was no match for the sheer volume of work in the organization. This means that organizations must find other, more creative ways to bring security to the overall development of software.

5.1 Security is everyone’s problem

5.1.1 Structure of an application security team

5.1.2 Just hire more application security people

5.1.3 How to close the gap

5.2 Security education

5.2.1 Raising the security IQ

5.2.2 Microlearning and just-in-time training

5.2.3 It’s more than just training

5.3 Standards, requirements, and reference architecture

5.3.1 Creating and driving standards

5.3.2 Creating reference architecture

5.3.3 Bringing requirements into the organization

5.4 Maturity models

5.4.1 OWASP SAMM

5.4.2 Building Security in Maturity Model

5.4.3 Addressing your security immaturity