Lessons Learned from Implementing Software Security Programs

No ratings

Presented at CircleCityCon 2015 by

Todd Grotenhuis

A common approach to securing software is to try to break software after it has already been made available to the customer or to the public (or, in slightly-more-proactive environments, doing software security testing just prior to code release). While this type of validation is important, it is incomplete and inefficient as a lone software security control. To make significant and sustainable changes to the security of software, we need to push left in the development lifecycle, incorporating activities like Security Training, Threat Modeling, Secure Engineering, and SDLC-Integrated Security Analysis. In this talk, I will share lessons-learned from implementing these types of programs at small and large enterprises. What kind of ground work do you need to do? How do you work with developers who aren't already trained in security? What types of questions should you be asking when selecting tools and processes? How can automation and metrics serve you? What are some of the major pitfalls and concerns? How do you make sure there is strong adoption of the security process enhancements? We'll talk about these questions and more, as we look at how to enhance software security programs.