Despite years of research on best practices to integrate security into the early phases of the SDLC, most organizations rely on static analysis, dynamic analysis, and penetration testing as their primary means of eliminating vulnerabilities. This approach leads to discovering vulnerabilities late in the development process, thereby either causing project delays or risk acceptance. Neither option is particularly appealing.
This talk is an open discussion about the presence, if any, of scalable, measurable, approaches working to address security into the SDLC. Consideration for how Agile development impacts effectiveness will be explored.
Points of discussion will include:
– Is static analysis sufficient?
– Developer awareness training
– Threat modeling / architecture analysis
– Secure requirements
– Considerations for procured applications