Gather Information

Information gathering is crucial in order for SD Elements to be tightly integrated with the organization’s software development processes. This requires identifying the key personnel involved and interviewing them to garner as much information about:

  • Software development processes & tools
  • Existing application security processes & tools

You can find specific questions to include in Key Questions of each of the following articles:

You will need to use your knowledge of the organization to understand which questions apply to which roles.

Keep in mind that you may need to ask certain process-related questions to several different people if the organization has more than one software development process. For example, one of the development teams might be following a waterfall model while another one might be following agile. In such scenarios, the list of roles you interview may differ by process.

Usually you will be time constrained to interview people, so you should prioritize your interviewee list by how much information they can give you. A sample prioritized list of key personnel to interview include:

  • Application security engineer / analyst / architect
  • Project manager / Scrum master
  • Development manager
  • Technical / enterprise architect
  • Penetration tester / security source code review
  • Requirements analysts
  • QA manager
  • DevOps representative, if applicable
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request