Explore a conference talk from GrrCON 2017 that delves into the journey of realizing software security maturity, addressing both the challenges and benefits encountered along the way. Learn about the evolution of application security programs, from low to high maturity levels, and understand the importance of balancing tactical and strategic approaches. Discover key metrics, starting points, and existing models for implementing security programs. Gain insights into Duo Security's experiences, including their team values, engineering practices, and the concept of a "paved road" for security. Examine the Security Maturity Model, covering aspects such as compliance, efficiency, and community content. Investigate essential security services like threat modeling, code audits, and security assessments. Understand the significance of functional QA, office hours, and intake processes in maintaining security standards. Conclude with valuable takeaways on hacking, security defects, and the overall importance of a mature software security program.
Overview
Syllabus
Intro
Application Security Programs
Low Security Maturity
Medium Security Maturity
High Security Maturity
Application Security Team
Tactical and Strategic
Program vs No Program
Metrics
Starting from scratch
Existing models
BeSam vs Ideal State
Key Takeaways
Duo Security
The Big Takeaway
Team Values
Engineering
Low Friction
Paved Road
How Could It Go
No Code Left Behind
Security Maturity Model
Compliance
Efficiency
Community Content
Free Time
Microsoft SDL
Training
Security Services
Threat Modeling
Code audits
Security assessments
Security metrics
Functionally
QA
Office Hours
Intake Process
What do they need
TLDR
Kickoff Checklist
Hacking
Security Defects
Conclusion
