SlideShare ist ein Scribd-Unternehmen logo

Security & the SDLC - Marisa Fagan

Security B-Sides
Security B-Sides

Many companies are using an ad hoc software development strategy that uses as few resources as possible. Only when there is a security incident can these organizations justify change to management. We recommend a stripped down version of the classic Secure Development Lifecycle called "SDL Light" that recognizes the haste involved in a first release. It begins after the software is released and becomes compromised. SDL Light has two main advantages: Fast response and barebones resource requirements. The process uniquely manages this by heavily focusing on templates for testing and Errata's list of "20 Most Common Bugs" which identifies most security problems found in software. This process leverages the decades of combined research and on-site experience of the Errata Security pentesting team without the resource drain of housing a team of "Security Experts."

TechnologieBildung
1 von 6
Downloaden Sie, um offline zu lesen
Security & The SDLC Marisa Fagan Security Project Manager Errata Security
Who Am I? • Research on SDLC • Survey - bit.ly/ErrataSurvey • Security Project Manager • Looking Glass • Hamster • Ferret • AxBan
The Survey • Questions • Role/Company Size • Awareness • Testing • Methodology • Rant • Findings so far • No one solution for any two companies
Securing the SDLC • Many different choices • Decide what you can afford • Get creative about training • Short vs. Long term fix • Make specific changes • Save time by swinging a wide net • Trust in tools
SDL Light • Start with an incident • Requirements: Let the tools guide you • Design: Use a threat template • Gauntlet: Run the automated tools • Analysis: Unit test, master one vuln at a time, be specific • Sanity Check: Defense in Depth, check your work, Security Expert sign off & release
Questions? Comments? • http://www.erratasec.com xkcd

Empfohlen

The security sdlc
The security sdlcThe security sdlc
The security sdlcMohamed Siraj
 
Shushank
ShushankShushank
ShushankShushank Parihar
 
LeverX SAP PLM Rapid Prototype Case Study
LeverX SAP PLM Rapid Prototype Case StudyLeverX SAP PLM Rapid Prototype Case Study
LeverX SAP PLM Rapid Prototype Case StudyEric Stajda
 
Escaping the waterfall case study_FINAL
Escaping the waterfall case study_FINALEscaping the waterfall case study_FINAL
Escaping the waterfall case study_FINALCassandra Oxford
 
Clocky: The Runaway Alarm Clock Case Analysis
Clocky: The Runaway Alarm Clock Case AnalysisClocky: The Runaway Alarm Clock Case Analysis
Clocky: The Runaway Alarm Clock Case AnalysisDinker Vaid
 
Security Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server VirtualizationSecurity Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server Virtualizationrsnarayanan
 
V Model and W Model
V Model and W ModelV Model and W Model
V Model and W ModelMuhammad Asim
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 

Empfohlen

The security sdlc
The security sdlcThe security sdlc
The security sdlcMohamed Siraj
 
Shushank
ShushankShushank
ShushankShushank Parihar
 
LeverX SAP PLM Rapid Prototype Case Study
LeverX SAP PLM Rapid Prototype Case StudyLeverX SAP PLM Rapid Prototype Case Study
LeverX SAP PLM Rapid Prototype Case StudyEric Stajda
 
Escaping the waterfall case study_FINAL
Escaping the waterfall case study_FINALEscaping the waterfall case study_FINAL
Escaping the waterfall case study_FINALCassandra Oxford
 
Clocky: The Runaway Alarm Clock Case Analysis
Clocky: The Runaway Alarm Clock Case AnalysisClocky: The Runaway Alarm Clock Case Analysis
Clocky: The Runaway Alarm Clock Case AnalysisDinker Vaid
 
Security Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server VirtualizationSecurity Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server Virtualizationrsnarayanan
 
V Model and W Model
V Model and W ModelV Model and W Model
V Model and W ModelMuhammad Asim
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Waterfall
WaterfallWaterfall
Waterfalljatinder_dolon
 
System Development Life Cycle (SDLC) - Part I
System Development Life Cycle (SDLC) - Part ISystem Development Life Cycle (SDLC) - Part I
System Development Life Cycle (SDLC) - Part IEmertxe Information Technologies Pvt Ltd
 
Vmodel
VmodelVmodel
VmodelJordan Pilapil
 
V model in SDLC
V model in SDLCV model in SDLC
V model in SDLCJasour Obeidat
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLCBDPA Charlotte - Information Technology Thought Leaders
 
V model final
V model finalV model final
V model finalsuhasreddy1
 
software project management Waterfall model
software project management Waterfall modelsoftware project management Waterfall model
software project management Waterfall modelREHMAT ULLAH
 
Overview of SDLC - Waterfall, Agile, and more
Overview of SDLC - Waterfall, Agile, and moreOverview of SDLC - Waterfall, Agile, and more
Overview of SDLC - Waterfall, Agile, and moreSteve Gladstone
 
Software Development Life Cycle (SDLC)
Software Development Life Cycle (SDLC)Software Development Life Cycle (SDLC)
Software Development Life Cycle (SDLC)Mohamed Sami El-Tahawy
 
Fire alarm
Fire alarmFire alarm
Fire alarmarjunex
 
Waterfall model ppt final
Waterfall model ppt finalWaterfall model ppt final
Waterfall model ppt finalshiva krishna
 
case study of chandigarh college of architecture
case study of chandigarh college of architecturecase study of chandigarh college of architecture
case study of chandigarh college of architectureAbhishek Tiwari
 
fire detection and alarm system
fire detection and alarm systemfire detection and alarm system
fire detection and alarm systemsingh1515
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Testing Types And Models
Testing Types And ModelsTesting Types And Models
Testing Types And Modelsnazeer pasha
 
Fire Detection and Alarm Systems
Fire Detection and Alarm SystemsFire Detection and Alarm Systems
Fire Detection and Alarm SystemsJ.T.A.JONES
 
FIRE NORMS AND INDIAN HABITAT CENTRE CASE STUDY
FIRE NORMS AND INDIAN HABITAT CENTRE CASE STUDYFIRE NORMS AND INDIAN HABITAT CENTRE CASE STUDY
FIRE NORMS AND INDIAN HABITAT CENTRE CASE STUDYNamrata Jindal
 
System Analysis and Design
System Analysis and DesignSystem Analysis and Design
System Analysis and DesignAamir Abbas
 
Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atlSecurity B-Sides
 
The road to hell v0.6
The road to hell v0.6The road to hell v0.6
The road to hell v0.6Security B-Sides
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c Security B-Sides
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Security B-Sides
 

Weitere ähnliche Inhalte

Andere mochten auch

software project management Waterfall model
software project management Waterfall modelsoftware project management Waterfall model
software project management Waterfall modelREHMAT ULLAH
 
Overview of SDLC - Waterfall, Agile, and more
Overview of SDLC - Waterfall, Agile, and moreOverview of SDLC - Waterfall, Agile, and more
Overview of SDLC - Waterfall, Agile, and moreSteve Gladstone
 
Software Development Life Cycle (SDLC)
Software Development Life Cycle (SDLC)Software Development Life Cycle (SDLC)
Software Development Life Cycle (SDLC)Mohamed Sami El-Tahawy
 
Fire alarm
Fire alarmFire alarm
Fire alarmarjunex
 
Waterfall model ppt final
Waterfall model ppt finalWaterfall model ppt final
Waterfall model ppt finalshiva krishna
 
case study of chandigarh college of architecture
case study of chandigarh college of architecturecase study of chandigarh college of architecture
case study of chandigarh college of architectureAbhishek Tiwari
 
fire detection and alarm system
fire detection and alarm systemfire detection and alarm system
fire detection and alarm systemsingh1515
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Testing Types And Models
Testing Types And ModelsTesting Types And Models
Testing Types And Modelsnazeer pasha
 
Fire Detection and Alarm Systems
Fire Detection and Alarm SystemsFire Detection and Alarm Systems
Fire Detection and Alarm SystemsJ.T.A.JONES
 
FIRE NORMS AND INDIAN HABITAT CENTRE CASE STUDY
FIRE NORMS AND INDIAN HABITAT CENTRE CASE STUDYFIRE NORMS AND INDIAN HABITAT CENTRE CASE STUDY
FIRE NORMS AND INDIAN HABITAT CENTRE CASE STUDYNamrata Jindal
 
System Analysis and Design
System Analysis and DesignSystem Analysis and Design
System Analysis and DesignAamir Abbas
 

Andere mochten auch (18)

Waterfall
WaterfallWaterfall
Waterfall
 
System Development Life Cycle (SDLC) - Part I
System Development Life Cycle (SDLC) - Part ISystem Development Life Cycle (SDLC) - Part I
System Development Life Cycle (SDLC) - Part I
 
Vmodel
VmodelVmodel
Vmodel
 
V model in SDLC
V model in SDLCV model in SDLC
V model in SDLC
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
V model final
V model finalV model final
V model final
 
software project management Waterfall model
software project management Waterfall modelsoftware project management Waterfall model
software project management Waterfall model
 
Overview of SDLC - Waterfall, Agile, and more
Overview of SDLC - Waterfall, Agile, and moreOverview of SDLC - Waterfall, Agile, and more
Overview of SDLC - Waterfall, Agile, and more
 
Software Development Life Cycle (SDLC)
Software Development Life Cycle (SDLC)Software Development Life Cycle (SDLC)
Software Development Life Cycle (SDLC)
 
Fire alarm
Fire alarmFire alarm
Fire alarm
 
Waterfall model ppt final
Waterfall model ppt finalWaterfall model ppt final
Waterfall model ppt final
 
case study of chandigarh college of architecture
case study of chandigarh college of architecturecase study of chandigarh college of architecture
case study of chandigarh college of architecture
 
fire detection and alarm system
fire detection and alarm systemfire detection and alarm system
fire detection and alarm system
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
 
Testing Types And Models
Testing Types And ModelsTesting Types And Models
Testing Types And Models
 
Fire Detection and Alarm Systems
Fire Detection and Alarm SystemsFire Detection and Alarm Systems
Fire Detection and Alarm Systems
 
FIRE NORMS AND INDIAN HABITAT CENTRE CASE STUDY
FIRE NORMS AND INDIAN HABITAT CENTRE CASE STUDYFIRE NORMS AND INDIAN HABITAT CENTRE CASE STUDY
FIRE NORMS AND INDIAN HABITAT CENTRE CASE STUDY
 
System Analysis and Design
System Analysis and DesignSystem Analysis and Design
System Analysis and Design
 

Mehr von Security B-Sides

Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atlSecurity B-Sides
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c Security B-Sides
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Security B-Sides
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySecurity B-Sides
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonSecurity B-Sides
 
Security? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity B-Sides
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Security B-Sides
 
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineThe Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineSecurity B-Sides
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsSecurity B-Sides
 
Enterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldEnterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldSecurity B-Sides
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?Security B-Sides
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the faceSecurity B-Sides
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Security B-Sides
 

Mehr von Security B-Sides (20)

Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atl
 
The road to hell v0.6
The road to hell v0.6The road to hell v0.6
The road to hell v0.6
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike Bailey
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex Hutton
 
Security? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity? Who cares! - Brett Hardin
Security? Who cares! - Brett Hardin
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
 
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
 
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineThe Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource tools
 
2009 Zacon Haroon Meer
2009 Zacon Haroon Meer2009 Zacon Haroon Meer
2009 Zacon Haroon Meer
 
Enterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldEnterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the Gold
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
 
Make Tea Not War
Make Tea Not WarMake Tea Not War
Make Tea Not War
 
OWASP Proxy
OWASP ProxyOWASP Proxy
OWASP Proxy
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
 
Exploitation
ExploitationExploitation
Exploitation
 

Kürzlich hochgeladen

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 

Kürzlich hochgeladen (20)

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 

Security & the SDLC - Marisa Fagan

  • 1. Security & The SDLC Marisa Fagan Security Project Manager Errata Security
  • 2. Who Am I? • Research on SDLC • Survey - bit.ly/ErrataSurvey • Security Project Manager • Looking Glass • Hamster • Ferret • AxBan
  • 3. The Survey • Questions • Role/Company Size • Awareness • Testing • Methodology • Rant • Findings so far • No one solution for any two companies
  • 4. Securing the SDLC • Many different choices • Decide what you can afford • Get creative about training • Short vs. Long term fix • Make specific changes • Save time by swinging a wide net • Trust in tools
  • 5. SDL Light • Start with an incident • Requirements: Let the tools guide you • Design: Use a threat template • Gauntlet: Run the automated tools • Analysis: Unit test, master one vuln at a time, be specific • Sanity Check: Defense in Depth, check your work, Security Expert sign off & release