Chapter 8. Creating a Product Security Team
This chapter deals with issues related to creating a Product Security Team (PST). Because the details about securing an executive’s support, funding, and similar items are covered in Chapter 2, “Forming an IRT,” this chapter does not go into those details again. The focus of this chapter is on items specific to a PST.
Why Must a Vendor Have a Product Security Team?
The answer to this question is quite simple—because we have not learned how to mass produce large and complex applications without errors. There are few notable exceptions to this rule, and only a handful of moderately complex (but not trivial!) applications are in constant use and apparently do not have security vulnerabilities. This is ...