4. • Risk Management
– One of Many Risks
–Operational Risk
–Financial Risk
–Reputational Risk
– Transfer from Network Security to AppSec
Secure Development
27. • Training
– Know Stakeholders
–Project Managers
–Development Managers
– Tailor to Development Team
– Use an Iterative Model
– Incorporate Train the Trainer
– Reinforce Training with Formal / Informal Incentives
Secure Development
31. • Coding Conventions & Architectural Standards
– Architectural Enumeration Scenario
–LAMP with Drupal
–IAM via AD-based LDAP
–Zend (PHP-based) Framework
–Imperva DAM
–Syslogd with Arcsight SIEM
–DMZ w/ Load Balancing
Secure Development
32. • Procuring Secure Applications
– Beware of Your Business Ecosystem
– Weakest Link Mentality
– Legal / SLA Verbiage
– 3rd Party Reviews
–ASP / Cloud / ISV
–Mobile
–COTS
–Subsidiaries / Customers
Secure Development
33. • 10 AppSec Commandments
1. Though Shall Execute AppSec at the Speed of Business
2. Though Shall Not Architect Security
3. Though Shall Evolve Your Testing Methodologies
4. Though Shall Not Surprise Dev Teams
5. Though Shall Test Apps in Production
6. Though Shall Not Let Frameworks Replace Intelligence
7. Though Shall Put Vulnerabilities in Proper Context
8. Though Shall Not Give Dev Teams Access to Prod Data
9. Though Shall Use a WAF/DAM with a Plan
10. Though Shall Not Blame the Dev Team
Secure Development
Source: Dark Reading
34. • AppSec Use Cases
– Strong SDLC & SDL Alignment
– Socialize & Incentivize SDL Implementation
– Embed AppSec SMEs in Dev Teams
– Start on New Projects
– Retrofit Legacy Apps / Systems as Time Permits
– Iterative Improvement & Wins
– No (Process / Tool) Silver Bullets
Secure Development