Newspost Serie Software Security

Software Security: Anchoring Security in the Corporate Culture

18. November 2021

In practice, it is not an easy task for manufacturers to continuously integrate a strong security mindset into complex software projects. In our blog series, Stephan Neumann, Head of usd HeroLab, and Torsten Schlotmann, Head of PCI Security Services, talk about practicable approaches and ways to still effectively improve software security.


There are many reasons why security should be embedded and integrated as 'business as usual' in everyday life and in all phases of the development process. For part 2 of our series, we asked our two experts about the best ways to start.

Newspost Serie Software Security Zitat Stephan Neumann

Stephan Neumann: "There is no universal recipe for the development process for Secure Software. Starting points are individual for each company. But over time, best practices have developed that work very well. Therefore, my recommendation is to integrate security into the corporate culture. It is important that the implementation of necessary measures becomes standard, learned practice. The topic of security needs to lose complexity and ideally reach the state where departments no longer perceive security as an additional expense. One way of achieving this stage is to train colleagues from the specialized departments to become so-called Security Champions. These bring a certain basic knowledge of IT security with them through private interest, their previous activities or their education. Security Champions can be completely normal developers who, in addition to their everyday tasks, have a particular focus on security. They can provide support internally in interpreting vulnerabilities or act as contact persons for external security audits. When asked about the optimal number of Security Champions, measured by project or team size, all I can say is that in a normal-sized team, even one Security Champion would be an absolutely wonderful thing."

Newspost Serie Software Security Zitat Torsten Schlotmann

Torsten Schlotmann: "I have also experienced this during the audits of our customers. Ideally, the security champion is someone from the respective development team, because he or she knows exactly what the challenges of the department are and can also act as a qualified contact person for security issues. As a tendency, the technical colleagues are more likely to accept the advice of the internal Security Champion, because they don't have the feeling of being assigned someone from a central security organization for this role who evaluates their work from the 'outside' - instead, it's someone from the team who is perfectly integrated and can contribute directly from the inside."

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories