Pragmatic Application Security
Thoughts on Secure Software Development
An often-seen anti-pattern in software architecture is the Ivory Tower Architect. It describes architects who work in isolation, disconnected from dev teams or real-world technical constraints. I like to refer to this as the InfoSec Tower Syndrome. While it’s not exclusive to AppSec, it’s particularly prevalent here with InfoSec often unaware of it. What is … Read more
Since “shift-left”, and also and “shift-right”, have increasingly been taken over as marketing terms, I believe it’s time to explore other directions as well. For instance upwards. In my opinion, one area that has received far too little attention is how we can elevate the priority of security and better promote its significance to management … Read more
Securing the software (development) lifecycle of a large organization will usually take a lot of time. Especially when you have to start very much at the beginning. It’s therefore vital to focus on quick wins first — measures that are effective and easy to implement at the same time. This is not only important from a risk … Read more
Combining threat modeling with an agile development methodology such as Scrum is a quite challenging topic: Creating a threat model usually requires an experienced security expert and some effort to do this. But how does this work, when a model can be outdated quickly when new threats are introduced by every new user story and … Read more