A common approach to securing software is to try to break software after it has already been made available to the customer or to the public (or, in slightly-more-proactive environments, doing software security testing just prior to code release). While this type of validation is important, it is incomplete and inefficient as a lone software security control. To make significant and sustainable changes to the security of software, we need to push left in the development lifecycle, incorporating activities like Security Training, Threat Modeling, Secure Engineering, and SDLC-Integrated Security Analysis. In this talk, I will share lessons-learned from implementing these types of programs at small and large enterprises. What kind of ground work do you need to do? How do you work with developers who aren't already trained in security? What types of questions should you be asking when selecting tools and processes? How can automation and metrics serve you? What are some of the major pitfalls and concerns? How do you make sure there is strong adoption of the security process enhancements? We'll talk about these questions and more, as we look at how to enhance software security programs.
Bio: Todd is the Application Security Practice Lead at Pondurance and has more than a decade of experience in information security. He has built application security programs and secure application development guidelines for large organizations including WellPoint and Liberty Mutual. His role at Pondurance is focused on helping clients secure their software and web applications through manual, dynamic, and static testing; implementing security in the development lifecycle; threat modeling and secure application architecture; developer and security training; security vulnerability remediation guidance; adherence to and customization of models such as the Software Assurance Maturity Model; and application security testing tools selection, implementation, and adoption. Todd attended Rose-Hulman Institute of Technology where he graduated Cum Laude and earned his Bachelor of Science in Computer Science. He is a GIAC certified Web Application Penetration Tester (GWAPT) and a Certified Information Systems Security Professional (CISSP).
If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek