Most people in Application Security talk about business risk and potential ROI when trying to drive organizations towards implementation of a software assurance programs. They'll speak to architecture reviews/threat modeling, static analysis (aka: code reviews or white box testing), dynamic analysis (aka: vulnerability assessments), and pen testing. They'll refer to charts noting the cost of fixing defects earlier vs later in the process. More often than not, they'll refer to software security vulns are 50% flaws (architecture), 50% bugs (code). The purpose of this talk is to provide an alternative (not different or better) approach to discussing software assurance. Sports is a huge business (recreational, college, pro, high school, any level). The process of game day preparation is one of teamwork - it involves coaches, players, trainers, medical staff, and equipment managers. While fans don't see a lot of the underlying parts, it is the teams that run more efficiently which win championships. Through the use of interaction with the audience, some various movie clips, and demonstrations I will show how each step of the software assurance process maps quite nicely to that game day process.

Back to BSides Delaware 2013 video list