Objectives and activities¶
Background - (Why)¶
Always safe is one of three pillar in the Equinor strategy. Safety in the digital world includes cyber security. Equinor has many software development teams (internals and partners) and we expect a growth in DevOps teams in the future. Modern software development adopts all aspects of cloud capabilities and thus there is also an increased information security and privacy risk.
The purpose of the AppSec team is to reduce cyber security risk in Equinor's SDLC - Software Development Life Cycle (DevOps teams).
The primary target audience for the team is Equinor's software development community - aka. DevOps teams.
Main objectives - (How)¶
- Enable DevOps teams so they can reduce cyber security risks for software developed and operated by Equinor.
- Enable "shift-left" of security responsibility, meaning put developers in front, responsible for their application security. Striking the right balance between centralisation and teams responsibility is crucial.
- Competence building, strengthen the community of practice, provide hands-on help and tools for Equinor's DevOps teams.
- Focus on software development in general and primarily development for utilising cloud. (Cloud native principles and practices.)
- Work actively to create a good security culture for software development teams in Equinor.
- Work in close relationship with the IT Professional network. Leading Advisor for Security in Software Engineering is a key stakeholder and a member of the ISC AppSec team.
Activities - (What)¶
- Training/build competence - Develop a curriculum covering "Secure Software Development / Applicaton Security" topics and provide training to Equinor's DevOps teams
- Engage, train and offer threat modelling for DevOps teams
- Practical hands-on help in Application Security/Secure Software Development - all aspects of the SDLC
- Measurements - Assessments of Application Security/Secure Software Development
- Build a community for Application Security, including security champions in Equinor DevOps teams
- Perform security testing - (tooling, automation, alignment with CSIRT/SOC)
- Host and maintain a library of "best practices" and examples
- Explore options on how to secure our development supply chain (e.g. Mandatory Equinor hubs and package repositories) - product owner for these solutions.
- Operate tools related to secure software development (e.g. Software Composition Analysis, Open Source Compliance, Static Code Analysis, Dynamic Code Analysis, Vulnerability scanning +++)