The document discusses challenges with application security from different perspectives. It notes discrepancies between how security controls are thought to be implemented versus reality, and how different groups see each other. Two key issues that lead to these problems are identified as the lack of communication, which creates a vacuum, and an imbalance between the desired results of security initiatives and the effort required to achieve them. The document recommends addressing these issues by improving communication between groups, ensuring initiatives are realistic given available resources, and maintaining continuous analysis and policy adjustments.

1. Application security without
rose-colored glasses
From perspective of an infosecurity
community member

2. How we see software development

3. How we see software developers

4. How we think we work together

5. How we think security controls
are implemented

6. But in reality it looks different…

7. In reality software looks more like this

8. How software is maintained

9. How we see ourselves

10. How we feel they see us

11. How they really see us

12. How we see policies

13. How they see policies

14. How they see our initiatives

15. What we get in the end

16. Where this leads to

17. Why is this happening?

18. #1. Communication vacuum
We are sending
this artifact to save
their planet
Complete vacuum
What is this?
Where has it come from?
What do we do with it?
? ? ?

19. #2. No balance between the desired
result and effort needed to be spent in
order to achieve it

20. How to fix this?

21. Communication is the key
1. Eliminate vacuum in communications
2. Get closer to target audience, talk to them, get their
feedback
3. Work together to ensure that the target is realistic to
achieve and all necessary tools and resources are
available
4. Find balance between desired result and effort spent
to achieve it – otherwise there will be no result at all
5. Don’t stop when agreement is made and artifacts are
produced. This is only the beginning
6. Continuously analyze results of your work and try to
find sources of any issues, adjust accordingly

22. Policy maintenance is a
continuous process
Policy Policy
Publication
Adjustments Feedback Publication
Report to
manager
Analysis of Done
Results

23. P.S.

24. How they see me

25. How I see myself

26. Contact me:
mikhail@samoylenko.me
10/10/2012