You are here
How do you create a secure development culture within your organisation?
Achieving ‘secure-by-design’ applications requires a shift in mindset – and this applies to everyone in an organisation. That’s because rapid development and security are increasingly difficult to reconcile.
The business stakeholders, the DevSecOps teams and the security function often have different goals. However an organisation will always benefit, when these teams have a positive relationship. It reduces risk and increases quality, while allowing security to act as a business-enabler itself.
For this to happen, you must establish a common understanding of the security challenge in the development lifecycle. Understanding like this must be applied consistently and repeatedly across your development organisation.
Our solutions
Approach creates a strong security culture in your development organisation in four steps:
Application Security Awareness
Application Security Training
Coaching & Mentoring (Security Champions)
Connect the cyber security community
Prepare your developers for more detailed training.
Teaching the foundational AppSec lessons:
- Basics of application security
- Security vocabulary
- Most dangerous cyber threats
- Most critical security risks (OWASP Top Ten)
Teach developers the techniques they need to be successful.
Teaching the specific knowledge for each of the various development roles:
- Threat modelling
- Secure architecture & design review
- Language-specific secure coding
- Application Security Testing
- Security hardening
- Security monitoring
- Etc.
Guide developers in the security activities and measure the results.
Coaching & Mentoring during activities to improve security and incentivize results:
- Create threat models
- Perform secure code reviews
- Review vulnerability assessments results
- Fix vulnerabilities discovered during pen test campaigns
- Identify security champions
Connect developers with other security-conscious people.
Embracing the idea of gathering and connecting to the cyber security community:
- Choose the right knowledge exchange forums
- Attend the right set of events & conferences
- Connect to Approach’s expanding cyber security community
- Exchange ideas, problems and solutions
Application Security Awareness
Application Security Training
Prepare your developers for more detailed training.
Teaching the foundational AppSec lessons:
- Basics of application security
- Security vocabulary
- Most dangerous cyber threats
- Most critical security risks (OWASP Top Ten)
Teach developers the techniques they need to be successful.
Teaching the specific knowledge for each of the various development roles:
- Threat modelling
- Secure architecture & design review
- Language-specific secure coding
- Application Security Testing
- Security hardening
- Security monitoring
- Etc.
Coaching & Mentoring (Security Champions)
Connect the cyber security community
Guide developers in the security activities and measure the results.
Coaching & Mentoring during activities to improve security and incentivize results:
- Create threat models
- Perform secure code reviews
- Review vulnerability assessments results
- Fix vulnerabilities discovered during pen test campaigns
- Identify security champions
Connect developers with other security-conscious people.
Embracing the idea of gathering and connecting to the cyber security community:
- Choose the right knowledge exchange forums
- Attend the right set of events & conferences
- Connect to Approach’s expanding cyber security community
- Exchange ideas, problems and solutions
Application Security Awareness
Prepare your developers for more detailed training.
Teaching the foundational AppSec lessons:
- Basics of application security
- Security vocabulary
- Most dangerous cyber threats
- Most critical security risks (OWASP Top Ten)
Application Security Training
Teach developers the techniques they need to be successful.
Teaching the specific knowledge for each of the various development roles:
- Threat modelling
- Secure architecture & design review
- Language-specific secure coding
- Application Security Testing
- Security hardening
- Security monitoring
- Etc.
Coaching & Mentoring (Security Champions)
Guide developers in the security activities and measure the results.
Coaching & Mentoring during activities to improve security and incentivize results:
- Create threat models
- Perform secure code reviews
- Review vulnerability assessments results
- Fix vulnerabilities discovered during pen test campaigns
- Identify security champions
Connect the cyber security community
Connect developers with other security-conscious people.
Embracing the idea of gathering and connecting to the cyber security community:
- Choose the right knowledge exchange forums
- Attend the right set of events & conferences
- Connect to Approach’s expanding cyber security community
- Exchange ideas, problems and solutions
We first provide awareness on Application Security to teach the foundation, then provide the more detailed learning your developers need to apply application security concepts to their specific role. In a third phase, we anchor their behaviour change into real practice, while ensuring that all their latest security knowledge is applied automatically. Finally, we connect them with the cyber security community, where developers can talk to and learn from one another.
We propose our solutions as part of a comprehensive and repetitive framework, or on a more on-demand basis depending on our clients’ needs.
Security education is far more effective than any other measure
Convincing developers and other stakeholders of the importance of security is challenging, but hugely beneficial.
Developers, who are the first line of defence, are happier and more productive when they can innovate. When aware of security concerns and taught about vulnerabilities and flaws, they spend less time remediating errors and deliver more value to customers by releasing good code on time. They adopt a proactive approach to security, by seeking advice and validation.
Security personnel can focus on what matters and improve their reputation, for example by being seen as an asset rather than a liability, whenever security is an organisation-wide priority. So they are under less pressure regarding security requirements, while overall security and compliance are automatically improved.
Why partner with Approach?
Approach is ideally positioned to assist you in creating a sustainable application security culture within your organisation. We uniquely combine the knowledge and skills of cyber security and software development.
- We have decades of experience with the development of highly secure applications in our own software factory for banking, FinTech, military and Digital Identity projects such as itsme®.
- We have built a broad catalogue of consistent, affordable and repeatable awareness sessions and training courses at different levels. This catalogue is based on true field experience and the best practices from interest groups such as the OWASP, SANS, NIST and the Microsoft SDL frameworks, to name but a few.
- Our teachers, coaches and mentors are senior professionals. They combine knowledge and field experience with educational and psychological skills, so as to make a real impact on behaviours. They will always explain the ‘why’ and ‘how’, not just the ‘what’ to do. Furthermore they provide the relevant security awareness and culture metrics to provide transparency on results.
- Our Training & Coaching solutions fit perfectly into a holistic vision for secure-by-design applications. These solutions can be seamlessly integrated, almost ‘plug and play’, into your development lifecycle process.
Thanks to our links within the cyber security community and our partnerships, we are a leading partner of choice to help you connect your developers to a vast knowledge network.