Governance and management of software security are most effective when they are systemic, woven into the culture and fabric of organizational behaviors and actions. In this regard, culture is defined as the predominating shared attitudes, values, goals, behaviors and practices that characterize the functioning of an organization.

Culture thereby creates and sustains connections among principles, policies, processes, products, people and performance. Effective software security should be thought of as an attribute or characteristic of an organization. It becomes evident when everyone proactively carries out their roles and responsibilities, creating a culture of security that displaces ignorance and apathy.

One manifestation of this is that everyone proactively considers the attacker perspective throughout the entire software life cycle and how the software can fail when under intentional attack or unintentional actions of users or developers. This means that security must come off the technical sidelines as activities and responsibilities solely relegated to software development and IT departments.

Expect the unexpected

Today, boards of directors, senior executives and managers all must work to establish and reinforce a relentless drive toward effective enterprise, information, system and software security. If the responsibility for these is assigned to roles that lack the authority, accountability and resources to implement and enforce them, the desired level of software security will not be articulated, achieved or sustained.

We believe that secure software should elevate from a stand alone technical concern to an enterprise issue when organizations are developing and/or acquiring software.

Because security is now a business problem, the organization must activate, coordinate, deploy and direct many of its core resources and competencies to manage security risks in alignment with the entity’s strategic goals, operational criteria, compliance requirements and technical system architecture.

Those responsible for ensuring secure software should have the responsibility and authority to stop the release of new software into production if security requirements are not met. To sustain enterprise security, the organization must move toward a security management process that is strategic, systematic, and repeatable, with efficient use of resources and effective, consistent achievement of goals.

Business context

One of the objectives of the Secure Software Framework from the Secure Software Alliance is to help software developers and their managers, and security professionals and their managers:

• more effectively engage their leaders and executives in security governance and management by understanding how to place software security in a business context and
• better understand how to enhance current management practices to build and maintain more secure software.

Armed with the Secure Software Framework, managers and developers can build attentive and security conscious leaders who are in a better position to make well informed security investment decisions. With this support, they can then take actionable steps to implement effective security governance and management practices across the entire software and system development life cycle.