Explore the fundamentals of software security initiatives in this comprehensive NDC Oslo 2020 conference talk. Learn about the essential components of a successful AppSec program, including the right tools, activities, and culture. Discover how to balance finding, fixing, and preventing security issues in software development. Gain insights into lessons learned from two decades of software security experience and understand various techniques to address security challenges in Agile environments. Delve into SDLC-focused approaches and frameworks like the Software Security Framework from BSIMM. Examine key areas such as stakeholder management, strategy, compliance, training, attack modeling, security features, code review, testing, and vulnerability management. Get practical advice on starting small, improving continuously, and adapting security practices to match development speeds. Ideal for those looking to establish or enhance their organization's software security initiatives.
What Is a Software Security Initiative and Do I Need One
Overview
Syllabus
Intro
usr/bin/whoami MURLO
What is Software Security?
More than just...
printf("Hello, World\n")
Early 2000s: Fix the damn cod
Security in a waterfall world
We're Agile now
Efforts to get real
Option 1: SDLC-focused
Option 2: Use a framework E.g. the Software Security Framework from BSIMM
Stakeholders & Organisation.
Strategy & Metrics
Compliance & Policy
Training
Attack Models
Security Features & Design
Standards & Requirements
Architecture Analysis
Code Review
Security Testing
Penetration Testing
Software Environment
Config Mgmt & Vuln Mgmt
Start small
Security at the speed of developme...
Continually improve
Further reading
Online Resources
Taught by
NDC Conferences
