Pragmatic Application Security
Thoughts on Secure Software Development
Since “shift-left”, and also and “shift-right”, have increasingly been taken over as marketing terms, I believe it’s time to explore other directions as well. For instance upwards. In my opinion, one area that has received far too little attention is how we can elevate the priority of security and better promote its significance to management … Read more
Security Champions have been a proven and popular security practice over the years. We’ve learned from initiatives at companies with an AppSec leadership reputation like Netflix, AWS, Adobe, or Salesforce about the remarkable advantages of integrating this role within development teams. This approach is endorsed by industry standards and organizations like SafeCode, OWASP SAMM, and … Read more
The concept of integrating security into the software development process is not new. While I cannot definitively assert that Microsoft was the pioneer of this concept, the Secure Development Lifecycle (SDL) published by Microsoft in 2002 undoubtedly laid the foundation for what is now commonly known as a Secure Software Development Lifecycle (Secure SDLC or … Read more
Combining threat modeling with an agile development methodology such as Scrum is a quite challenging topic: Creating a threat model usually requires an experienced security expert and some effort to do this. But how does this work, when a model can be outdated quickly when new threats are introduced by every new user story and … Read more
Agile software development has gotten more and more attention in the last couple of years. Not only internet startups or media agencies but also large companies from conservative business lines like automotive, banking, insurance, and the public sector are more and more adjusting to the agile world. Since those companies are often already very much … Read more