Model | Governance | Education & Guidance
The Education & Guidance (EG) practice focuses on arming personnel involved in the software lifecycle with knowledge and resources to design, develop, and deploy secure software. With improved access to information, project teams can proactively identify and mitigate the specific security risks that apply to their organization.
One major theme for improvement across the Objectives is providing training for employees and increasing their security awareness, either through instructor-led sessions or computer-based modules. As an organization progresses, it builds a broad base of training starting with developers and moving to other roles, culminating with the addition of role-based training to ensure applicability and effectiveness.
In addition to training, this practice also requires the organization to make a significant investment in improving organizational culture to promote application security through collaboration between teams. Collaboration tools and increased transparency between technologies and tools support this approach to improve the security of the applications.
| Maturity level | Stream ATraining and Awareness | Stream BOrganization and Culture | |
|---|---|---|---|
| 1 | Offer staff access to resources around the topics of secure development and deployment. | Provide security awareness training for all personnel involved in software development. | Identify a “Security Champion” within each development team. |
| 2 | Educate all personnel in the software lifecycle with technology and role-specific guidance on secure development. | Offer technology and role-specific guidance, including security nuances of each language and platform. | Develop a secure software center of excellence promoting thought leadership among developers and architects. |
| 3 | Develop in-house training programs facilitated by developers across different teams. | Standardized in-house guidance around the organization’s secure software development standards. | Build a secure software community including all organization people involved in software security. |