Solving the AppSec Governance Disconnect

An often-seen anti-pattern in software architecture is the Ivory Tower Architect. It describes architects who work in isolation, disconnected from dev teams or real-world technical constraints. I like to refer to this as the InfoSec Tower Syndrome. While it’s not exclusive to AppSec, it’s particularly prevalent here with InfoSec often unaware of it. What is … Read more

Shift-Up Strategies for Elevating Product Security as a Management Priority

Since “shift-left”, and also and “shift-right”, have increasingly been taken over as marketing terms, I believe it’s time to explore other directions as well. For instance upwards. In my opinion, one area that has received far too little attention is how we can elevate the priority of security and better promote its significance to management … Read more

A Guide to Organizational AppSec Functions

With OWASP SAMM, BSIMM, and NIST SSDF, there have been excellent resources for some time that provide a basis for evaluating and improving application security within an organization. However, these sources often treat structural aspects, such as roles within an organization and their interdependencies, rather generally. For this reason, I want to share my personal … Read more

Why Security Champions Are Not the Silver Bullet

Security Champions have been a proven and popular security practice over the years. We’ve learned from initiatives at companies with an AppSec leadership reputation like Netflix, AWS, Adobe, or Salesforce about the remarkable advantages of integrating this role within development teams. This approach is endorsed by industry standards and organizations like SafeCode, OWASP SAMM, and … Read more

Secure Software Lifecycle Management (SSLM)

The concept of integrating security into the software development process is not new. While I cannot definitively assert that Microsoft was the pioneer of this concept, the Secure Development Lifecycle (SDL) published by Microsoft in 2002 undoubtedly laid the foundation for what is now commonly known as a Secure Software Development Lifecycle (Secure SDLC or … Read more

Shifting Security Left by Sharing Ownership & Responsibilities

Many discussions on how to shift security left in the SDLC, or about implementing DevSecOps in particular, are primarily focused on the integration of various security scanning tools in CI/CD pipelines. Although the use of such tools is indeed an important aspect, it is actually not the most important one. Without proper processes, tools often … Read more

SSDLC Quick Wins

Securing the software (development) lifecycle of a large organization will usually take a lot of time. Especially when you have to start very much at the beginning. It’s therefore vital to focus on quick wins first — measures that are effective and easy to implement at the same time. This is not only important from a risk … Read more

Agile Threat Modeling

Combining threat modeling with an agile development methodology such as Scrum is a quite challenging topic: Creating a threat model usually requires an experienced security expert and some effort to do this. But how does this work, when a model can be outdated quickly when new threats are introduced by every new user story and … Read more

Agile Security & DevSecOps Touch Points

Agile software development has gotten more and more attention in the last couple of years. Not only internet startups or media agencies but also large companies from conservative business lines like automotive, banking, insurance, and the public sector are more and more adjusting to the agile world. Since those companies are often already very much … Read more

Automating Security Tests – Part 1: Testing for Security Headers

Today, performing unit tests has become a standard in many development teams for automatically performing various tests on code (e.g. as a compulsory part of the build process). Especially in agile development, the existence, completeness and quality of such tests is a critical aspect for ensuring that the application is still working after each commited … Read more