I have seen several organizations trying to adopt secure SDLC and failing badly towards the beginning. One of the biggest reason is they try to use “Big Bang Approach”. Yeah, there are several consultants who will push you to go for a big project use the classical waterfall model to adopt secure SDLC. But that’s asking too much. Changing the habits of a group is not very easy.
Typically there is a big push back and depending on how determined you are and the amount of dedicated resource you have either the exercise will be a half hearted success or a failure. However, with less effort than that you can be more successful. Here is how.
( Read More: 5 Major Types Of Hardware Attacks You Need To Know )
Why starting small is important?
- Changing group habit is very tough. Remember the last time you or your friend wanted to change the habit of smoking?
- Defining the optimal (minimal but effective) process is tougher than you think
- What you think will work might actually not
- Every organization is different. You will have your own learning.
- Secure SDLC is not just technology. You will have to deal with human minds, habits and resistance
Phase 1: Art of starting small
Define only one small area (in terms of secure coding) or a small group and implement the most important coding guidelines you want to implement. Keep the number of stuff minimal so that you get the least pushback in adoption and start building the desirable habit/mindset among the users. During this phase make sure you have the following:
- Define the most important goals. It should not be more than 1 or 2. Changing habits of a group is not easy. Hence keeping it small makes it easier. Once your pilot is successful you will have enough learning to do the complete roll out. Select the top 20% of guidelines which will help you the most in phase 1.
- Define the measures of success. It is very important to measure the success of adoption. Implementation just for sake of implementation will produce all most similar amount of junk code.
- Do weekly huddles. Measure the weekly adoption and success metrics. Check out the target vs achievement, road block, solutions and next week plan.
- Create a Secure SDLC learning document. Create a document of what you learnt from the process and define the model which worked. This should be the document which shall be the guide for you to launch the bigger mission across the organization and across all areas of coding.
Phase 2: Big Bang Implementation
Now that you have done a small implementation and have gone through the learning, you will better equipped to implement for the larger organization or for the larger domain. I am not discussing the details of this phase here since I wanted to focus on the “Lean model” of “Starting Small”.
This is a re-post of the blog originally published on CISO Platform
Link to original blog: http://www.cisoplatform.com/profiles/blogs/secure-sdlc-implementation-art-of-starting-small