Security & the SDLC - Marisa Fagan
6
Click here to load reader
-
Upload
security-b-sides -
Category
Technology
-
view
2.502 -
download
2
description
Many companies are using an ad hoc software development strategy that uses as few resources as possible. Only when there is a security incident can these organizations justify change to management. We recommend a stripped down version of the classic Secure Development Lifecycle called "SDL Light" that recognizes the haste involved in a first release. It begins after the software is released and becomes compromised. SDL Light has two main advantages: Fast response and barebones resource requirements. The process uniquely manages this by heavily focusing on templates for testing and Errata's list of "20 Most Common Bugs" which identifies most security problems found in software. This process leverages the decades of combined research and on-site experience of the Errata Security pentesting team without the resource drain of housing a team of "Security Experts."
Transcript of Security & the SDLC - Marisa Fagan
Security & The SDLCMarisa Fagan
Security Project Manager
Errata Security
Who Am I?• Research on SDLC
• Survey - bit.ly/ErrataSurvey
• Security Project Manager
• Looking Glass
• Hamster
• Ferret
• AxBan
The Survey
• Questions
• Role/Company Size
• Awareness
• Testing
• Methodology
• Rant
• Findings so far
• No one solution for any two companies
Securing the SDLC• Many different choices
• Decide what you can afford
• Get creative about training
• Short vs. Long term fix
• Make specific changes
• Save time by swinging a wide net
• Trust in tools
SDL Light
• Start with an incident
• Requirements: Let the tools guide you
• Design: Use a threat template
• Gauntlet: Run the automated tools
• Analysis: Unit test, master one vuln at a time, be
specific
• Sanity Check: Defense in Depth, check your
work, Security Expert sign off & release
Questions? Comments?
• http://www.erratasec.com
xkcd
