Designing and building secure applications is a collaborative effort involving multiple roles. This guide is structured to address each role and the relevant security factors to be considered by each role. The categorization and the issues addressed are outlined below.
RACI stands for:
R esponsible (the role responsible for performing the task)
A ccountable (the role with overall responsibility for the task)
C onsulted (people who provide input to help perform the task)
Keep I nformed (people with a vested interest who should be kept informed)
You can use a RACI chart at the beginning of your project to identify the key security related tasks together with the roles that should execute each task.
Table 4 illustrates a simple RACI chart for this guide. (The heading row lists the roles; the first column lists tasks, and the remaining columns delineate levels of accountability for each task according to role.)
Tasks | Architect | System Administrator | Developer | Tester | Security Professional |
---|---|---|---|---|---|
Security Policies | R | I | A | ||
Threat Modeling | A | I | I | R | |
Security Design Principles | A | I | I | C | |
Security Architecture | A | C | R | ||
Architecture and Design Review | R | A | |||
Code Development | A | R | |||
Technology Specific Threats | A | R | |||
Code Review | R | I | A | ||
Security Testing | C | I | A | C | |
Network Security | C | R | A | ||
Host Security | C | A | I | R | |
Application Security | C | I | A | R | |
Deployment Review | C | R | I | I | A |