2. Business Initiated Vulnerabilities

Create Gov Wide "Security Maven" Program for Gov IT Developers

Walmart achieved a 92% reduction in security defects by creating a "Security Maven" role to drive security best practices into their software development teams that greatly outnumbered their security teams.

 

IT security in government is typically organized as a silo focused on protecting production systems. A government-wide security maven program would help tear down the existing" expertise" and "contractual" barriers between security and the development and business side.

 

Walmart's security mavens were not security experts, but members of developments teams trained and deputized to be first level support on security for development teams. The mavens dramatically scaled security's ability to support the teams.

 

No previous knowledge was required for mavens, just an interest in security practices and a passion to mentor coworkers on building robust infrastructure. Here's more about the program in a slide[1], and a video.[2]

 

Since "security mavens" would be developers and business-side persons, the mavens would be present for discussions about software features, tools, etc. to make security practices part of the equation.

 

A security maven program could be a CIO Council and Whitehouse initiative and have a web presence. Assets could be developed at OMB, GSA and promoted through agencies. Organizations like ACT-AIC could develop assets to support security mavens. It would be important that mavens volunteered (not assigned) and were acknowledged professionally. (Perhaps OPM, who might be looking for some good will at this time, would have an incentive to figure out some formal skill recognition to security mavens.)

 

Development teams are likely to be interested in a maven program because the adoption of Continuous Integration and DevOps is driving automated regression testing that is creating much wider appreciation of reliability as a means for deploying features faster. (See: "Compliance at Velocity"[3])

 

[1] https://twitter.com/astorrs/status/525356965363744768

[2]

[3] http://complianceatvelocity.com

Add tags and help us assess and classify your idea. Pick from the list below or type in a new tag.

Voting

4 votes
Public Input
Idea No. 78