Secure SDLC Program: “The Art of Starting Small”

I have seen several organizations trying to adopt secure SDLC and failing badly towards the beginning. One of the biggest reason is they try to use “Big Bang Approach”. Yeah, there are several consultants who will push you to go for a big project use the classical waterfall model to adopt secure SDLC. But that’s asking too much. Changing the habits of a group is not very easy.

Typically there is a big push back and depending on how determined you are and the amount of dedicated resource you have either the exercise will be a half hearted success or a failure.  However, with less effort than that you can be more successful. Here is how.

( Read More: 5 Major Types Of Hardware Attacks You Need To Know )

Why starting small is important?

  1. Changing group habit is very tough. Remember the last time you or your friend wanted to change the habit of smoking?
  2. Defining the optimal (minimal but effective) process is tougher than you think
  3. What you think will work might actually not
  4. Every organization is different. You will have your own learning.
  5. Secure SDLC is not just technology. You will have to deal with human minds, habits and resistance

Phase 1:  Art of starting small

Define only one small area (in terms of secure coding) or a small group and implement the most important coding guidelines you want to implement. Keep the number of stuff minimal so that you get the least pushback in adoption and start building the desirable habit/mindset among the users. During this phase make sure you have the following:

  1. Define the most important goals. It should not be more than 1 or 2. Changing habits of a group is not easy. Hence keeping it small makes it easier. Once your pilot is successful you will have enough learning to do the complete roll out. Select the top 20% of guidelines which will help you the most in phase 1.
  2. Define the measures of success. It is very important to measure the success of adoption. Implementation just for sake of implementation will produce all most similar amount of junk code.
  3. Do weekly huddles. Measure the weekly adoption and success metrics. Check out the target vs achievement, road block, solutions and next week plan.
  4. Create a Secure SDLC learning document. Create a document of what you learnt from the process and define the model which worked. This should be the document which shall be the guide for you to launch the bigger mission across the organization and across all areas of coding.

( Read More: 5 Reasons Why You Should Consider Evaluating Security Information & Event Management (SIEM) Solution )

Phase 2: Big Bang Implementation

Now that you have done a small implementation and have gone through the learning, you will better equipped to implement for the larger organization or for the larger domain. I am not discussing the details of this phase here since I wanted to focus on the “Lean model” of “Starting Small”.


More:  Want to be a infosec community contributor? Click here

Views: 210

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform



CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by Yogesh Nov 19. 2 Replies

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

[Please Suggest] Corona Virus: Security advisory for work from home

Started by CISO Platform. Last reply by Bhushan Deo Mar 20. 12 Replies

(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue

Tags: #COVID19

Follow us

Contact Us


Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service

/* */