Skip to Content
PracticesGovernance

Governance

We need to understand, based on application risk exposure, what threats exist or may exist, as well as how tolerant our executive leadership is of these risks. We need to be aware of the worst-case that can happen regarding our software and services but also how we could be a market-differentiator and create additional opportunities.

Truesec’s SDLC program is prioritized to address threats and opportunities most important to us as an organization. Every application built by Truesec shall document how it can impact the organization if the application is compromised.

This is done case-by-case and the information shall be stored in the projects Readme file and in the Enterprise Architecture Center . This information shall be shared among teams to enhance security awareness and help us build more resilient software as a group.

We should have an enterprise-wide knowledge about the risk appetite regarding our software.

Our strategy

  • We capture the accepted risk level of our organization’s executive leadership.
  • Our organization’s leadership vet and approve the set of risks with us.
  • We identify the main business and technical threats to our assets and data through Threat Intelligence and Threat modelling exercises combined with tooling.
  • We document risks and store them in an accessible location, see: Architectural Decision Records  (ADR). ADRs should be used when documenting significant architectural decisions or risks that impact the system’s design, scalability, security, or maintainability. For example, use an ADR to capture decisions about choosing a new framework, introducing a major dependency, or handling critical security concerns.

Measurement of the Application Security program

  • We measure the awareness of this program with developers in the team.
  • We measure the increased OWASP SAMM level with at least .2 -.5 points per function in a year.
  • We measure spent time in security training and awareness.
  • We measure the amount of our code that is covered with vulnerability scanning.
  • We measure on quality gates and bug bars.

OWASP SAMM Assessment:

  • Platform team assessments can be found here 

Todo: Add location for the other business units assessments.

Policy and standards we adhere to

Compliance management

All projects shall use the README template so that all projects are documented in the same way. A standard documentation praxis allows for automatic creation of a project catalogue.

TODO: Develop a way to iterate all projects and collect information from the projects readme files to a centralized project catalogue.

Security training and awareness

For information regarding awareness see more in our Tools section.

Organization

As part of our organization’s commitment to maintaining strong application security practices, it is crucial to involve relevant stakeholders in the decision-making process. The following responsibilities are established to ensure that security concerns are adequately addressed and mitigated:

Chief Technology Officer (Peter Eriksson)

The CTO is responsible for overseeing the organization’s technology strategy and ensuring that security considerations are integrated into technology decisions. The CTO shall be consulted on all significant technology-related initiatives, projects, and changes that may impact application security. This includes reviewing security risks, evaluating security solutions, and providing guidance on best practices for secure technology implementations.

CTO:

  • Peter Eriksson

Field CTO:

  • Fabio Viggiani

Chief Information Security Officer

The CISO is responsible for managing the organization’s information security program and providing leadership on security matters. The CISO shall be consulted on all security-related concerns, incidents, and policy matters that may affect application security. This includes providing expertise on security assessments, reviewing security policies and procedures, and ensuring that security controls are in place and effective.

CISO:

  • Mårten Thomasson

Security Team

The organization’s security team is responsible for implementing and maintaining security controls, conducting security assessments, and managing security incidents. They shall work closely with the CTO and CISO to provide regular updates on security posture, discuss security concerns, and seek guidance on security-related decisions.

  • Tome Filipovski, Kristian Gustafsson, Rickard Lundqvist, Mårten Thomasson, and Anders Axhake

Security center of excellence and responsibility for release

For a product team, the responsibility for managing the risks related to releases falls on the product manager, in collaboration with the development team, quality assurance (QA) team, and other relevant stakeholders. Here’s a breakdown of the responsibilities:

Product Manager

The product manager is responsible for overseeing the development and release of the product, including managing and owning risks associated with releases. This includes identifying potential risks and vulnerabilities in the software, coordinating with the development team to implement appropriate security measures, and ensuring that thorough testing and quality assurance processes are in place to mitigate risks.

Head of Product:

  • André Holmlund (fallback Christoffer Forsman)

Development Team

The development team, including software developers and engineers, plays a critical role in identifying and mitigating risks associated with releases. They should follow secure coding practices.

Head of Engineering:

  • Kristian Gustafsson (fallback Peter Eriksson)

Security Team

The organization’s security team, can provide guidance and support to the product team in identifying and mitigating security risks related to releases. They can conduct security assessments, provide security best practices, and offer expertise on secure coding practices and vulnerability management. Contact the AppSec team (Team lead Sebastian Olsson) for consultation.

Security champions enlisting

For every product team, there should be a named security champion to consult for security concerns. This person should have an establish relationship with the AppSec team.

Champions:

  • Technology - Richard Ulfvin (fallback Jonas Lagerström, Simon Björzén)
Last updated on