Security vs. Development: The SDLC’s Game of Thrones

Presenters:Ian Spiro, CodiscopeNabil Hannan, Cigital

Motivation• Ensure the software that

powers our business secure and risks are limited.

Battle Cry• Build Security In

Weapons• SAST, DAST• Training• Architecture Analysis

Motivation• Continuously deliver

valuable software to the customer.

Battle Cry• Keep It Simple

Weapons• Open source• IDEs

Catalyst 1: Security Responsibility

• Companywide ownership• Invest in resources• Proactive not reactive

• Yesterday’s bugs are bad• Tool integration

Catalyst 2: Tool Deployment

• Embed in dev culture• Make them easy to use

• Provide tool training• Integrate in process• See productivity gains

Catalyst 3: Communication

• Vet bug lists• Collaborate on solutions• Speak the same language• Negatives are hard to prove

Maintaining Peace

• Secure from the start

• Threat modeling

• Training

Questions?

• More questions email us info@cigital.com

• Resources• Agile Security Manifesto | sws.ec/man1festo• Jacks, as SAST tool for developers | jacks.codiscope.com• Delivering Security in an Agile World | sws.ec/agil3