Framework Overview

Every task your organization has to do repeatedly should be scalable (linear or better) in terms of human input. Policies are a wonderful tool for making process scalable.

Winters, T., Manshreck, T., & Wright, H. (2020). Software engineering at Google: Lessons learned from programming over time. O’Reilly Media.

The Secure Delivery Framework is a way of working for a Product Delivery Organisation that meets and exceeds best practices for establishing the security of delivered software products. It defines the essential capabilities needed for a high-performing organisation to meet its security and compliance targets while delivering value to customers.

What is the framework?

Here’s the framework’s scope and the groups of people considered:

The diagram has boxes-and-arrows showing (from the bottom up) Product Teams managing product risk for a Product Delivery Organisation, both informed by a Technology Community of Practice. The Product Delivery Organisation manages delivery risk for the Organisation it's part of. The organisation has compliance obligations set for it by external Regulatory Bodies and by any Group Organisation that the Organisation is part of.

And the resources that each group maintains in the framework:

The diagram has boxes-and-arrows showing that the Product Delivery Organisation maintains Documented Risks, Product Security Policy and Agreed Ways Of Working. The Technology Community Of Practice maintains Product Security Levels, Product Security Knowledge and a Product Security Insights. Product Teams maintain Product Inventory, Product Working Practices and Product Security Work.

Developed by Secure Delivery, the framework was created over years of working with some of the world’s largest and most regulated organizations to raise security and delivery capabilities across the entire product lifecycle, including leadership, product management, and software engineering.

Guided by our four principles, the framework has been developed to be:

• Internally Assured: There is no requirement for external assurance from a security team.
• Understandable: Clear responsibilities and accountabilities are described using simple and rigorous language.
• Adaptable: The security capabilities of the framework can be implemented in a way that is specific to your organisation and product teams.
• Scalable: The framework can be used by an organisation with a single product team or a thousand.
• Evidenced: The security capabilities in the framework are quantitatively measured and continuously improved.

and includes:

• A clear and simple Product Security Policy with rigorous language (the ‘What‘)
• All Documented Risks that are addressed by the Product Security Policy (the ‘Why‘)
• Clearly assigned, scalable and effective responsibilities and accountabilities with just three types of responsible groups and three types of accountable roles (the ‘Who‘)
• A collection of the fewest necessary standards and other documentation to meet the security and compliance requirements of most organisations, with templates to guide their creation by the people of your Product Delivery Organisation (the ‘How‘)
• Comprehensive guidance on all terms and concepts used in the framework—everything is defined

This level of rigour and completeness sets the Secure Delivery Framework apart from currently available maturity models and other heavyweight approaches.

You can explore the framework from two perspectives:

1. By responsible group and their maintained resources defined in the framework, if you’re interested in who does what.
2. By the security capabilities achieved through implementing the framework, if you’re interested in the threats, defenses, and evidence required to deliver secure software projects.