Security Information Overload
A simple Internet search will find a large amount of security related information. The information ranges from today's security breach to academic research. Separating out the useful information is a challenge even for security professionals.
For a product team that needs to gather security information quickly to get started this information overload is a challenge that can cause product delays. Delays can come either through hesitation to get started, new information arriving in the middle of development, or discovering an unknown requirement before release.
Efforts to summarize the available information tend to be "lists of lists" that, while helpful, do not target the needs to the Product Development and the Product Development Team. Each member of the team has a different role and different needs for information. The list of Resources provided below attempts to provide a starting point for each team member to get quickly familiar with security information in their area and enable them to find out more as required.
Determining a market need for a secure product and justifying the investment in security development are key challenges. Organizations new to security can see security as an unneeded risk to development timelines or added expense/overhead making Product Manager's challenge difficult. As an innovative product feature, a basic market requirement, or anything in between, the Product Manager must be able to make the business case to add security.
Security Risk/Threat Reports - These resources can provide a list of current security challenges that customers are concerned about
Business Case for Security - Methods to help formulate the business case for security in product development
Managing a product being developed by a team utilizing an unfamiliar technology is always a challenge. Like any technology, security has a set of technical and business concerns that a Project Manager must balance to ensure a successful launch.
Introduction to Security Project Management - Understanding secure project needs
Risk Management - Success in secure product development is fundamentally about risk and how well a Project Manager can manage it
Security Development Lifecycle - Best practice processes to implement security in a product
Vendor Management - Security vendors are in important part of secure development execution and require special attention for the Project Manager
Developing a security architecture is a balance of understanding the product needs, security threats, available security technologies, and security verification testing. This understanding must be specified and communicated to the product team for effective development.
Security Systems Engineering - The traditional System Engineering approach with focus on security
Architectural Analysis and Threat Modeling - Understand where the design is vulnerable
Industry Guidance - Security recommendations and controls that should be considered for product design
System Security Testing - How to ensure the security designed in performs as required
The software developer's challenge is to produce working code on tight timelines to meet product deadlines. Adding security can be difficult but good guidance on how to implement it effectively is available that works within most development processes.
Secure Coding Practices - How to do it and what to watch out for
Security Code Review - Add security assessment to your existing peer review process
Security Unit Testing - Check for security in code early and often in the development process
As an executive in an organization, it is not only the security of your IT infrastructure that deserves additional attention, but security is a growing need in executing new product development. Understanding and managing the security risks your organization faces is critical to profitable project execution and company growth.
How can Secmation Help?
Even a list with the goal to summarize a starting point for learning about secure product development is long. Secmation can deliver targeted training specific to your product's needs to get the development team confident in its ability to execute the security development and keep the product on track for successful launch.