Post-Release Support (PRSA1–5) 227
8.1 Right-Sizing Your Software Security Group
First we will walk through each of the software security group relation-
ships and the importance of putting everything into perspective in order
to “right-size” the building of a successful software security program.
Doing this means having
• The right organizational location
• The right people
• The right process
8.1.1 The Right Organizational Location
Although there have been great advances in software security technology
over the last few years, we believe that people are still the most important
element of a successful software security program that includes the imple-
mentation and management of the activities and best practices. In order
to facilitate the best use of the people responsible for software security,
they must be part of the right organization (see Figure 8.2). Having been
in seven Chief Security Officer (CSO) and Chief Information Security
Officer (CISO) roles, James Ransome, one of the co-authors of this book,
has had software security reporting to him in several of his roles. Based on
both his experience and communication with his peers in the industry, it
is clear that the software security function ideally should fall within the
engineering (software development) function and, in particular, within
the quality function. The general consensus is that the application security
role typically reports to the centralized information security role CSO/
CISO position and should not be confused with the software security
function. Typically, those who are in an application security role within
an IT security organization are great at running tools but do not have the
software development background necessary to fully interpret the results.
To make this point clear, it is important to differentiate between software
and application security. Perhaps the best way to clarity this distinction is
with a quote from Gary McGraw:
Software security is about building secure software: designing
software to be secure; making sure making sure that software is
secure; and educating software developers, architects, and users