yanfosec
commented
6 years ago "Add organisation of internal security events and participation in external communities (such as OWASP - chapters) as part of Organization and Culture ?" --> For me this one is more for training. I don't remember who suggested it but I would love a more specific example.
explain CBT
check secure design principles list "Least Privilege, Defense-in-Depth, Fail Secure (Safe) Complete Mediation, Session Management, Open Design, and Psychological Acceptability" (is there an OWASP project/reference for this)
consider direct references to projects (e.g. such as WebGoat or Juice Shop) to assure for the text to stay timeless for the next 10 years (?)
maturity 2
maturity 3 (or 2): include in onboarding process based on criticality of the application developers can only start coding/commiting after completing the training
instead of While the complete training may be unnecessary on an annual basis ... While updating the complete training may be unnecessary on an annual basis ...
instead of ... develop these roles as Information Security subject-matter experts. ... develop these roles as Software Security subject-matter experts.
organisation and culture: Add organisation of internal security events and participation in external communities (such as OWASP - chapters) as part of Organization and Culture ?
SW security instead of "information security" ? "liaison" instead of "liase on"
include security as part of the "culture" for everyone?