I suggest that this needs to be achieved through:
Education
Everybody (including the business and delivery) needs to understand the importance of security. At IG we had a very positive recent experience with a consultant who came into our offices, spent some time with our development teams, educating and instilling enthusiasm for the subject, and then closing with a company-wide demonstration of our application vulnerabilities at the time. The presence of C-level executives at these demonstrations lead ultimately to the creation of an application security function (in addition to our already quite mature InfoSec function).Standardisation
Adopt industry guidelines such as OWASP to ensure a consistent, best-practise approach to security.Organisation
Security, like quality, does not happen by accident, and requires organized effort to achieve. Create a team of security champions, whether physical or virtual, to:- collaborate on application security decisions
- raise awareness of application security best practice in development teams
- help teams understand application security threats via threat modeling
- help teams secure their applications via security test suites
- provide a developer communication and feedback loop on security matters
- collaborate closely with InfoSec, PMO and Operations to ensure appropriate goal alignment - resourcing security work will be a key challenge
Process
Integrate security with your software development lifecycle, specifically:
- create an effective security monitoring, incident, tracking and resolution process
- prioritise issues using the OWASP risk rating framework
- require teams to maintain security threat models for their applications
- create security cheat sheets and code review checklists
- create automatic security test suites
Testing
Testing is the only way to confidently assert that an application meets its requirements, and this is no different for application security. All applications should be required to have automated security test suites with adequate coverage.
In addition, periodic, independent 3rd party penetration tests and architecture reviews should be performed.
The Challenge
What do you have to lose?
Probably a lot.