1 / 18

An End to Testing Ourselves Secure?

This presentation invites discussion on the current state of security in software development processes. We explore the flaws in relying solely on verification and the limitations of static analysis as a solution. Engaging in time-boxed discussions, we examine training scalability, effective threat modeling, and security requirements. Drawing from the NIST February 2012 report and insights from an Open SAMM assessment, we’ll tackle cultural challenges and resource allocation while seeking to improve our security frameworks. Join us for an interactive session aimed at finding effective solutions in secure SDLC.

john
Télécharger la présentation

An End to Testing Ourselves Secure?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An End to Testing Ourselves Secure?

  2. Why I’m Here

  3. Ground Rules

  4. This is a presentation discussion

  5. Let other people speak!

  6. 15 minute time-boxed discussions, revisit parked issues at the end

  7. Framing the Problem

  8. Where we find flaws today Highest ROI Look familiar? Relative cost to fix, based on time of detection Source: NIST

  9. February 2012 Report from Quocirca

  10. Results of an Open SAMM Assessment

  11. Discussion Question 1:Is there a problem with relying primarily on verification? Isn’t static analysis a “good enough” solution?

  12. Discussion Question 2:Can we effectively scale training, threat modeling?

  13. Discussion Question 3:Can we effectively scale security requirements?

  14. Resources

  15. Learning from other process changes

  16. “Incompetent developer” challenge • “Security is special” challenge • Domain-specific vs. domain-agnostic • Fitting a square peg into a round hole Cultural Challenges to Secure SDLC

  17. Conclusions?

  18. rohit@sdelements.comTwitter: @rksethi

More Related