Culture and Org. -> Education and Guidance: Regular security training for all
Risk and Opportunity
Risk: Understanding security is hard.
Opportunity: Provide security awareness training for all personnel involved in software development on a regular basis like twice in a year for 1-3 days.
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
- In case you do not have the budget to hire an external security expert, an option is to use the OWASP Juice Shop on a "hacking Friday"
OWASP SAMM 1 Mapping: EG1-A
ISO27001:2017 Controls Mapping: