Security is a process that begins with your employees:
Train your developers, administrators and managers. Create awareness, do some 'live hacking” demos, offer workshops and seminars on secure software development, architecture, deployment and operation, accompanied by your own data protection and compliance requirements where appropriate.
This will help all participants to apply appropriate technical guidelines and management policies to successfully apply and live what they have learned on a day-to-day basis. At the end of the day, this can also be a fully-fledged Secure Software Development Life Cycle.
In order to consolidate the experience with your employees in the long term, you should also give them something tangible for everyday use: With a simple, easy to understand Secure Coding guide for developers with the 'Dos and Don'ts' of secure software development, a lot has already been won. These guidelines can of course be adapted to the languages and frameworks you use. Not only for the development, but also for the design, the operation or the deployment, such guidelines can be used very well to get the employees on the right and 'secure” way.
Results from penetration tests, code reviews or source code analyses can also be directly and immediately incorporated into training courses and, following on from this, into 'your” guidelines.
At the more abstract management level, policies help to define and monitor the entire 'security process”. A Secure Coding Policy supports the project manager or client by providing a suitable checklist, for example, to be able to trace the corresponding implementation on the part of the developers and, if necessary, to demand it. In addition to pure development, policies with checklists and matching operational guidelines are also suitable for secure design, design and daily operation. Ideally, they form a solid foundation for a complete Secure Software Development Lifecycle.
sic[!]sec GmbH regularly offers seminars on web application security based on the OWASP Top-10 as part of the Alliance for Cyber Security. In addition, we can also offer specially tailored seminars for you. Be it that the focus is on creating awareness or concrete 'hands-on” workshops for technicians and developers, who can directly experience the effects of weak points due to programming errors with real attack tools. Through these practical experiences, a better awareness for secure programming techniques and procedures is created than through dry 'frontal teaching'.