1. 建立溝通管道Build a community: Large enterprises like the Federal government are particularly prone to the silo effect; a simple intranet site that's well managed can work wonders to leverage the expertise throughout an entire Department.
2. 分享專業知識Spread the expertise: Right now the majority of what application security knowledge exists within security groups. This is a good start but ultimately the programs build and fix the applications; staff them with experts, too.
3. 在工具上思考Think beyond tools: While tools can automate certain assessment tasks, realize that they only assist with a portion of your assessments. Even then, assessments are just one portion of an assurance program.
4. 提供指引手冊Provide guidance: Developers want to build secure, compliant software; they just don't always know how. Make standards, requirements and reference models available to your programs.
5. 不斷檢測Don't wait to test: Late-cycle testing under release pressure is stressful on the program and testers alike. Start testing earlier in the cycles and involve your assessment team in the scheduling.
6. 持續觀察審視Zoom-in your continuous monitoring: A "minor" application change can fly through change control but create huge vulnerabilities. Scrutinize changes to applications carefully, particularly Internet-facing or other high-risk systems.