Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Why can't we build secure software?

495 views

Published on

A lot is expected of software developers these days; they are expected to be experts in everything despite very little training.  Throw in the IT security team (often with little-to-no knowledge of how to build software) telling developers what to do and how to do it, and the situation becomes strained. This silo-filled, tension-laced situation, coupled with short deadlines and pressure from management, often leads to stress, anxiety and less-than-ideal reactions from developers and security people alike.
This talk will explain how job insecurities can be brought out by IT leadership decisions, and how this can lead to real-life vulnerabilities in software. This is not a talk about “feelings”, this is a talk about creating programs, governance and policies that ensure security throughout the entire SDLC.

No more laying blame and pointing fingers, it’s time to put our egos aside and focus on building high-quality software that is secure. The cause and effect of insecurities and other behavioral influencers, as well as several detailed and specific solutions will be presented that can be implemented at your own place of work, immediately. No more ambiguity or uncertainty from now on, only crystal-clear expectations.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Why can't we build secure software?

  1. 1. @SheHacksPurple
  2. 2. @SheHacksPurple
  3. 3. This is me. I’m Tanya Janca. @SheHacksPurple AKA: @SheHacksPurple
  4. 4. This is me. I’m a Senior Cloud Developer Advocate at: What does THAT mean? @SheHacksPurple
  5. 5. This is me. I’m a Senior Cloud Developer Advocate I work to make security features easier to use. It means I help developers use our products more securely. I provide feedback to make our products more secure. @SheHacksPurple I do security research and share it with the community. Security research, such as this presentation, OWASP DevSlop, and much more.
  6. 6. This is me. Application Security Evangelist @SheHacksPurple
  7. 7. This is me. Application Security Evangelist @SheHacksPurple
  8. 8. This is me. Ethical hacker I want to know how things work. @SheHacksPurple
  9. 9. This is me. I’m obsessed with OWASP! @SheHacksPurple Open Web Application Security Project An international non-profit that operates chapters, projects and conferences all over the globe, in efforts to help everyone create more secure software.
  10. 10. This is me. OWASP Ottawa Chapter Leader @SheHacksPurple
  11. 11. This is me. OWASP DevSlop Project Leader @SheHacksPurple
  12. 12. @SheHacksPurple This is me. Software Developer (since the late 90’s) That’s over 20 years! AHHHHHHHHHHHH! @SheHacksPurple
  13. 13. This is me. Goal: to change the way we make software so that the easiest way to do something is also the most secure way. @SheHacksPurplePhoto: Toronto, Canada, OWASP Meeting, Oct 2018
  14. 14. Let’s do this. @SheHacksPurple
  15. 15. @SheHacksPurple@SheHacksPurple
  16. 16. @SheHacksPurple
  17. 17. @SheHacksPurple
  18. 18. @SheHacksPurple
  19. 19. @SheHacksPurple
  20. 20. @SheHacksPurple
  21. 21. @SheHacksPurple
  22. 22. @SheHacksPurple
  23. 23. @SheHacksPurple
  24. 24. The Plan: 1. Support dev and sec team with processes, training, and resources so they can confidently get the job done. 2. Initiate and then maintain culture change. @SheHacksPurple
  25. 25. The Plan: 1. Support dev and sec team with processes, training, and resources so they can confidently get the job done. 2. Initiate and then maintain culture change. @SheHacksPurple
  26. 26. The Plan: 1. Support dev and sec team with processes, training, and resources so they can confidently get the job done. 2. Initiate and then maintain culture change. @SheHacksPurple
  27. 27. The Plan: 1. Support dev and sec team with processes, training, and resources so they can confidently get the job done. 2. Initiate and then maintain culture change. @SheHacksPurple
  28. 28. The Plan: 1. Support dev and sec team with processes, training, and resources so they can confidently get the job done. 2. Initiate and then maintain culture change. @SheHacksPurple
  29. 29. @SheHacksPurple
  30. 30. @SheHacksPurple
  31. 31. @SheHacksPurple
  32. 32. Start Security Earlier! Requirements Design Code Testing Release Push Left! @SheHacksPurple
  33. 33. Break security activities into smaller pieces @SheHacksPurple
  34. 34. @SheHacksPurple
  35. 35. @SheHacksPurple
  36. 36. 1 @SheHacksPurple
  37. 37. 1 @SheHacksPurple
  38. 38. 1 @SheHacksPurplePhoto: DevOpsDays Zurich, May 2018, with Nicole Becher of OWASP DevSlop
  39. 39. 2
  40. 40. (Off Colour) Job Shadowing @SheHacksPurple
  41. 41. @SheHacksPurple
  42. 42. @SheHacksPurple
  43. 43. 1
  44. 44. 1
  45. 45. 2
  46. 46. OWASP: Your new BFF!!! The Open Web Application Security Project @SheHacksPurple
  47. 47. 2 @SheHacksPurple
  48. 48. 2
  49. 49. 2 @SheHacksPurple
  50. 50. A message for conferences No more “we’re screwed” keynotes.
  51. 51. 2 @SheHacksPurple Lead By Example
  52. 52. @SheHacksPurple The Plan
  53. 53. The Plan: 1. Support dev and sec team with processes, training, and resources so they can confidently get the job done. 2. Initiate and then maintain culture change. @SheHacksPurple
  54. 54. The Plan: 1. Support dev and sec team with processes, training, and resources so they can confidently get the job done. 2. Initiate and then maintain culture change. @SheHacksPurple
  55. 55. The Plan: 1. Support dev and sec team with processes, training, and resources so they can confidently get the job done. 2. Initiate and then maintain culture change. @SheHacksPurple
  56. 56. The Plan: 1. Support dev and sec team with processes, training, and resources so they can confidently get the job done. 2. Initiate and then maintain culture change. @SheHacksPurple
  57. 57. The Plan: 1. Support dev and sec team with processes, training, and resources so they can confidently get the job done. 2. Initiate and then maintain culture change. @SheHacksPurple
  58. 58. @SheHacksPurple
  59. 59. @SheHacksPurple https://aka.ms/GettingStartedWithAppSec
  60. 60. @SheHacksPurple Twitter: @SheHacksPurple https://medium.com/@SheHacksPurple https://aka.ms/DevSlopShow https://aka.ms/DevSlop-Mixer https://aka.ms/DevSlopTwitch
  61. 61. @SheHacksPurple https://aka.ms/Why-Cant-We
  62. 62. @SheHacksPurple Thank you Cloud Developer Advocate, Microsoft OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader Tanya Janca Tanya.Janca@Microsoft.com Tanya.Janca@owasp.org @SheHacksPurple

×