Larger Product Delivery Organisations often don’t know every Product that they’re delivering, let alone what each Product consists of. As a catching-up exercise, a Product Delivery Organisation might task an individual or team with discovering everything and cataloguing it, but these centralised efforts lack complete coverage and are never maintained over time as the Product landscape changes.

It’s impossible to continuously improve quality, manage risk, or effectively detect and respond to security incidents if the Product Delivery Organisation doesn’t know what Products it has. As a Product Team, you know what you have and what it consists of. The only scalable and effective way to know what Products and technologies are in use by a Product Delivery Organisation is for each Product Team to maintain their own Product Inventory, and for the collection of them all to be available to the Product Delivery Organisation.

The Agreed Ways Of Working apply to the whole Product Delivery Organisation, but Product Teams each have their own specific working practices that vary depending on the type of product being developed, the technologies in use, the geographic distribution of the team and many other factors.

These Product Working Practices must be deliberate and considered, and it’s the responsibility of each Product Team to maintain their own Product Working Practices.

Being able to consistently track work to be done and prioritise that backlog of work is essential for security and overall Product delivery and Product Teams must have a system in place for this.

This framework places the responsibility with the Product Teams for scalability and to allow for the right approach to be taken for each Product Team. As this policy is the “What“ and the “Who“, it doesn’t state how work should be tracked. There are many popular tools for this or you could simply have sticky notes on a whiteboard.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Inventory for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Inventory for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Inventory for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Inventory for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Inventory for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Inventory for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Working Practices. You may want to include more, but you cannot be missing any of these and still deliver a secure Product.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Working Practices. You may want to include more, but you cannot be missing any of these and still deliver a secure Product.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Working Practices. You may want to include more, but you cannot be missing any of these and still deliver a secure Product.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Working Practices. You may want to include more, but you cannot be missing any of these and still deliver a secure Product.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Working Practices. You may want to include more, but you cannot be missing any of these and still deliver a secure Product.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Working Practices. You may want to include more, but you cannot be missing any of these and still deliver a secure Product.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Working Practices. You may want to include more, but you cannot be missing any of these and still deliver a secure Product.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Working Practices. You may want to include more, but you cannot be missing any of these and still deliver a secure Product.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Working Practices. You may want to include more, but you cannot be missing any of these and still deliver a secure Product.

This objective, and the other similar ‘include‘ objectives, simply state what work has to be included as part of Product Security Work. You may want to include more, but you cannot be missing any of these and still deliver a secure Product.

This objective, and the other similar ‘include‘ objectives, simply state what work has to be included as part of Product Security Work. You may want to include more, but you cannot be missing any of these and still deliver a secure Product.

This objective, and the other similar ‘include‘ objectives, simply state what work has to be included as part of Product Security Work. You may want to include more, but you cannot be missing any of these and still deliver a secure Product.

This objective, and the other similar ‘include‘ objectives, simply state what work has to be included as part of Product Security Work. You may want to include more, but you cannot be missing any of these and still deliver a secure Product.

The continued use of Products that are no longer supported by a Product Team and of Third-Party Product Components that are no longer supported by their maintainer is a widespread risk for Product Delivery Organisations.

Knowing how your Products and Third-Party Product components are supported, and when that support may end, is essential for a Product Delivery Organisation and the Head Of Product Delivery Organisation is accountable for this.

When a critical vulnerability is made known in a Third-Party Product Component that a Product Team is using there’s very little time to respond to the situation and upgrade the Third-Party Product Component before the Product is compromised. Typically, the first broadly-scanning exploits for the vulnerability are detected across the internet within 24 hours so fixing the issue the same day of it being reported or, at most, within the first 48 hours is essential.

High-profile customer data breaches have shown repeatedly that if a central team is tasked with knowing of these vulnerabilities and ensuring they get fixed by the Product Teams then the response time is too slow and the Product Delivery Organisation has a serious security incident with a potential large financial penalty. Product Teams know what Third-Party Product Components they’re using and what versions. They are best placed to know and respond to critical vulnerabilities. The Product Lead is accountable for this happening.

This objective seems obvious but is stated for clarity on an important issue that this framework addresses. A Product Team maintaining a Product Inventory that the Product Delivery Organisation is not aware of brings a lot of risks.

All Product Team’s Product Inventories must be accessible by the Product Delivery Organisation to allow risks to be managed and better-informed decisions to be made. The Product Lead is accountable for this happening.

A Product Team’s Product Working Practices don’t override Agreed Ways Of Working. Any necessary deviations from Agreed Ways Of Working by a Product Team must be communicated to the Product Delivery Organisation as defined elsewhere in this framework.

It’s essential that Product Working Practices are aligned with and support the Agreed Ways Of Working and the Product Lead is accountable for this.

Some aspects of a Product Team’s work are so important for security and overall delivery that they are stated explicitly in the policy of this framework, not left to optional definition in Agreed Ways Of Working or Product Working Practices. This objective is one of them and the Product Lead is accountable for it happening.

Some aspects of a Product Team’s work are so important for security and overall delivery that they are stated explicitly in the policy of this framework, not left to optional definition in Agreed Ways Of Working or Product Working Practices. This objective is one of them and the Product Lead is accountable for it happening.

Policy objectives that use the verb ‘Ensure‘ assign accountability to a person. This is an accountability objective. While Product Leads are accountable for all the responsibilities of a Product Team, some accountabilities are called out specifically for clarity.

Some aspects of a Product Team’s work are so important for security and overall delivery that they are stated explicitly in the policy of this framework, not left to optional definition in Agreed Ways Of Working or Product Working Practices. This objective is one of them and the Product Lead is accountable for it happening.

Some aspects of a Product Team’s work are so important for security and overall delivery that they are stated explicitly in the policy of this framework, not left to optional definition in Agreed Ways Of Working or Product Working Practices. This objective is one of them and the Product Lead is accountable for it happening.

Some aspects of a Product Team’s work are so important for security and overall delivery that they are stated explicitly in the policy of this framework, not left to optional definition in Agreed Ways Of Working or Product Working Practices. This objective is one of them and the Product Lead is accountable for it happening.

This, and its corresponding Product Quality Metrics objective, combine to form the continuous quality improvement loop that each Product Team is responsible for and each Product Lead is accountable for.

How a Product Team is working determines the quality of the Product being delivered. Improvements in Product Working Practices raise the quality of delivery processes and the quality of the Product. Product Teams make improvements to their working practices based on clear information on all aspects of their Product’s current level of quality and on clear information on how well the Product Team is delivering change. The two types of information must be considered together to ensure that no aspect of Product quality is below that required by the Product Delivery Organisation and that the Agreed Ways Of Working and Product Working Practices are not adversely affecting delivery to a level unacceptable to the Product Delivery Organisation.

This, and its corresponding Product Quality Metrics objective, combine to form the continuous quality improvement loop that each Product Team is responsible for and each Product Lead is accountable for.

How a Product Team is working determines the quality of the Product being delivered. Improvements in Product Working Practices raise the quality of delivery processes and the quality of the Product. Product Teams make improvements to their working practices based on clear information on all aspects of their Product’s current level of quality and on clear information on how well the Product Team is delivering change. The two types of information must be considered together to ensure that no aspect of Product quality is below that required by the Product Delivery Organisation and that the Agreed Ways Of Working and Product Working Practices are not adversely affecting delivery to a level unacceptable to the Product Delivery Organisation.

As the decision-maker for prioritisation of Product work, the Product Lead is accountable for work relating to the security of the Product being done.

This means the Product Lead assigns the necessary delivery time and ensures the Product Team has the necessary capabilities to complete the work. Product management/ownership must balance the functional and non-functional aspects of Product quality to be effective and the Product Lead is accountable for their Product’s security quality alongside the other aspects of quality.

This, and its corresponding Product Quality Metrics objective, combine to form the continuous quality improvement loop that each Product Team is responsible for and each Product Lead is accountable for.

Product Teams make informed decisions on work priority based on clear information on all aspects of their Products current level of quality and on clear information on how well the Product Team is delivering change. The two types of information must be considered together to ensure that no aspect of Product quality is below that required by the Product Delivery Organisation and that the Agreed Ways Of Working and Product Working Practices are not adversely affecting delivery to a level unacceptable to the Product Delivery Organisation.

This, and its corresponding Product Delivery Metrics objective, combine to form the continuous quality improvement loop that each Product Team is responsible for and each Product Lead is accountable for.

Product Teams make informed decisions on work priority based on clear information on all aspects of their Products current level of quality and on clear information on how well the Product Team is delivering change. The two types of information must be considered together to ensure that no aspect of Product quality is below that required by the Product Delivery Organisation and that the Agreed Ways Of Working and Product Working Practices are not adversely affecting delivery to a level unacceptable to the Product Delivery Organisation.

Policy objectives that use the verb ‘Ensure‘ assign accountability to a person. This is an accountability objective. While Product Leads are accountable for all the responsibilities of a Product Team, some accountabilities are called out specifically for clarity.

It’s not scalable or effective for a Product Delivery Organisation to have a central team or person chasing dozens or even hundreds of Product Teams to ensure their Products meet the security requirements of the Organisation.

A Product Team being unable to build and operate its Product in a way that meets the requirements of the Product’s Security Level, for reasons that are communicated to, and accepted by, the Product Delivery Organisation is handled by this framework and results in either:

• The Product Security Levels being improved to meet the specific needs of more Products or,
• Documented Risks being updated to capture and manage the deviation from Product Security Levels

If Product Security Levels and the guidance for them is not clear and understandable for a Product Team then that is a problem the Technology Community Of Practice must address.

It does not mean that the requirements of a Product’s security level can be ignored by the Product Team. This prevents continuous security improvement by the Product Delivery Organisation.

Products change constantly. New features are developed and the overall design of the Product will evolve over time. Manually testing for the continued presence of all the required Minimum Application Requirements For Security as the Product is developed is time-consuming and simply won’t be done frequently enough, if at all.

To consistently ensure that every release of the Product meets its Minimum Application Requirements For Security the Product Team must implement automated testing for the implementation of these requirements. The Product Lead is accountable for this automated testing being created and maintained.

The requirements of Product Security Levels can be exceeded but they must never be left unmet by a release of a Product. If measurements from testing a Product release during the Product Build Process show that the new version of the Product will not meet the requirements of its Product Security Level then that release must never enter the Product Deployment Process.

The Product Lead is accountable for this happening.

The requirements of Product Security Levels can be exceeded but they must never be left unmet by a release of a Product. If measurements from testing a Product release during the Product Deployment Process show that the new version of the Product will not meet the requirements of its Product Security Level then that release must never reach customers.

The Product Lead is accountable for this happening.

Being accountable for the security of their Products and of their Product Team, it’s clear that the Product Lead is also accountable for their Product Team understanding the Agreed Ways Of Working they must follow.

Being accountable for the security of their Products and of their Product Team, it’s clear that the Product Lead is also accountable for their Product Team understanding the Product Security Level requirements their Product must meet.