You correctly emphasize the Level of Effort (LoE) associated with such standards. This isn’t one of those “Duh, it’s simple, just get off your butt and do it” things. Technology-specific standards require at least a dedicated staff of one and help from others distributed throughout the organization. That means commitment.

Dave speaks from experience, by the way. His organization does an outstanding job of making sure that both security and development folk have knowledge about critical vulnerabilities and emerging best practices from the industry at large.

From my perspective, obtaining critical mass of an initial set of standards requires the most LoE. Neither Developers nor Security Analysts will “come and get it” if when they initially explore they only find sparse and/or superficial guidance. I recommend building (or buying) a critical mass. What to tackle first? Well, what problems do you find most often when you assess your organization’s applications?

Once your organization obtains critical mass, I suggest using a distributed work-force for continued standard development and update. Your Security Analysts (conducting application reviews), Security Architects (helping out with secure design), and even savvy Developers (who might have created a nifty way around session forgery for their own use) all represent exceptional sources of new standards to be folded in. Whether or not the security group “buys back” the time these people spend developing standards depends on specifics of your org.

If you successfully create an environment of contribution, that one dedicated resource I prescribed should be responsible for coordinating, collecting, editing, vetting, and distributing standards. This person acts like an Editor in Chief of standards and may involve an editorial board of internal and/or external reviewers. Certainly, including Development Champions who can vouch for the practicality of given guidance aides in reception of and buy-in for standards.

What do you guys think out there?
-jOHN