Blog 8

This is, in my opinion, the most critical strategic step to implement a successful Secure SDLC: assigning the Security Advisor role to one of the members of the Product Development Team. This person provides support to the Product Development Team in complying with the Secure SDLC process and is the Information Security representative within the Product Development Team. The Security Advisor helps the team implement security across the entire SDLC and gives his approval at the end before the product launches into Production.

The Security Advisor is a subject-matter expert from within the Product Development Team, what allows a deeper level of understanding of the ecosystem and associated threats. He is the first level of security support for the Product Development Team, acting as a security sounding board. He is the point of contact between the Product Development Team and the Information Security Team.

In my experience, it was key to develop the Secure SDLC practice together with someone in the Product Development Team who later became the Security Advisor. It was key because we included all his concerns and confirmed viability of what we were proposing. He became later the ambassador of the Secure SDLC within his team.

Because this responsibility was within the Product Development Team and not in Information Security, a completely different level of ownership of product security was achieved. It was no longer the traditional scenario where Information Security is viewed as the auditor or police asking for compliance with the process, but instead the reasons why the required steps were necessary were understood and Information Security was viewed as an enabler, a facilitator, to create secure products. Both teams worked towards the same goal.