Building an Ambidextrous Software Security Initiative

Improving software security in software development teams is an enduring challenge for software companies. In this chapter, the authors present one strategy for addressing this pursuit of improvement. The approach is ambidextrous in the sense that it focuses on approaching software security activities both from a top-down and a bottom-up perspective, combining elements usually found separately in software security initiatives. The approach combines (1) top-down formal regulatory mechanisms deterring breaches of protocol and enacting penalties where they occur and (2) bottom-up capacity building and persuasive encouragement of adherence to guidance by professional self-determination, implementation, and improvement support (e.g., training, stimulating, interventions). The ambidextrous governance framework illustrates distinct, yet complementary, global and local roles: (1) ensuring the adoption and implementation of software security practices, (2) enabling and (3) empowering software development teams to adapt and add to overall mandates, and (4) embedding cultures of improvement.