[CR1.6: 32] Use centralized reporting to close the knowledge loop.
The bugs found during code review are tracked in a centralized repository that makes it possible to do both summary and trend reporting for the organization. The code review information can be incorporated into a CISO-level dashboard that might include feeds from other parts of the security organization (e.g., penetration tests, security testing, black-box testing, and white-box testing). Given the historical code review data, the SSG can also use the reports to demonstrate progress and drive the training curriculum (see [SM2.5 Identify metrics and use them to drive budgets]). Individual bugs make excellent training examples. Some organizations have moved toward analyzing this data and using the results to drive automation.
[CR1.7: 51] Assign tool mentors.
Mentors are available to show developers how to get the most out of code review tools. If the SSG has the most skill with the tools, it could use office hours or other outreach to help developers establish the right configuration or get started on interpreting results. Alternatively, someone from the SSG might work with a development team for the duration of the first review they perform. Centralized use of a tool can be distributed into the development organization or toolchains over time through the use of tool mentors, but providing installation instructions and URLs to centralized tools isn’t the same as mentoring. Increasingly, mentorship extends to tools associated with deployment artifacts (e.g., container security) and infrastructure (e.g., cloud configuration). In many organizations, satellite members (e.g., champions) take on the tool mentorship role.