1. Security Development Lifecycle • Core security training An undetected software requirement defect can cost 50 to 200 times as much to fix when discovered later in the development or post-development process. • Establish security requirements • Analyze security & privacy risk • Define quality gates & bug bars • Establish design requirements • Attack surface analysis • Threat modeling One hour of software QA activities can save between 3 and 10 hours of post-release remediation work. • Specify tools • Enforce banned functions • Static analysis • Dynamic/fuzz testing & analysis • Verify threat models & attack surface A defect found and fixed during a code review would cost 10 to 100 times as much to fix when discovered later in the development or post-development process. • Incident response plan • Final security review • Execute incident response plan • Goals: • Protect customers • Reduce the number of vulnerabilities • Reduce the severity of vulnerabilities • Principles: • Prescriptive, practical, proactive • Eliminate security problems early • Secure by design