An agile approach
Within VASP and VCDM, we have a “bottom-up” approach to security and data protection. This means that rather than having a large, centralised security organisation with a lot of policies, reporting systems etc., we focus on the development teams:
The development teams are the software development and delivery teams that build and run the products you use. They are the ones who knows the product best; its strengths, weaknesses and context in the market. The team is responsible not just for coding, but for the entire product all through its lifecycle, including things such as releases and security incident management. VASP (and VCDM) seek to empower the teams to provide the best possible security.
Every team has a dedicated “Security Engineer”. This a specialised role described in our Quality Management System, just like other roles typically associated with a software company, such as “Developer” or “System Architect”. The Security Engineer receives additional training in security and data protection, and acts as the team’s specialist and primary point of contact on issues related to security and data protection. The Security Engineer works closely with the security team:
The development teams are closely supported by the Security Team. The Security Team is a team of dedicated application security professionals whose job it is to support and enable the development teams to assume responsibility for their product by providing expertise, guidance and certain tools and systems, such as threat intelligence, code scanning and support with security incidents.
The Security Team also provides training for the development teams, and maintains the Security Guild. The guild is where the Security Engineers interact and collaborate, organises training, shares information and expertise.
This approach, where the team itself is also responsible for security and operations, is often called “DevOps” or “SecDevOps”, and is a modern, holistic and agile approach to application security.
In sum, we believe that enabling and supporting the teams to take responsibility for "their product” yields a far better level of security than the more traditional approach of “write code and hand it off to Operations”, just as having our Security Team and Data Protection Manager working hands-on on a day-to-day basis with the teams is a far better use of their competence than having them monitor systems and writing reports and policies (they do that also).