ABSTRACT
Many of the functions and their associated activities and best practices described in this chapter (see Figure 8.1) are handled by groups other than the software security group that would have the principal oversight over SDL activities and best practices (A1-A5) described in the previous chapters. In this chapter we will describe them as activities that are the responsibility of the centralized software security group in an organization. We have found that this is a much more cost-effective and efficient way to manage these activities using existing resources. This is precisely the reason we highly recommend that the core software security group be composed of senior software security architects who have hard “dottedline” relationships with the software security champions, who in turn have the same relationships with the software security evangelists. There should also be a strong relationship between the software security architects in the centralized software security group and the product managers of each Tier 1 software product, just as there is for the software security champions. It is also important that the software security group and function be in the right organization so they can be most successful.
