The biggest challenge many Dev teams face with embracing web application security is identifying where to begin. How to step AppSec up to the speed of DevOps?
To paint a business-level picture for how to “shift security left” in a practical way with OWASP SAMM (for Software Assurance Maturity Model), a recent episode of The Virtual CISO Podcast features Sebastien Deleersnyder, Co-founder & CTO at Toreon. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.
Sooner and faster
The earlier you can start embedding security controls into your software development lifecycle (SDLC or SDL), the better. But how does that look in today’s accelerated DevOps scenarios?
“That’s really our biggest challenge—how can we keep up with the speed of software development?” asks Sebastien. “The only way … is to align your [AppSec] activities with the development activities themselves. There is no magical dust that we can sprinkle over the software or an on/off button at the end to say, ‘Let’s switch on the security aspect.’ There is no silver bullet for that.”
OK, no silver bullet. But what ammo do you have? Sebastien and other experts recommend really getting to know your SDLC and Dev team members.
“Align your activities with the development activities themselves,” Sebastien advocates. “We have to think about how the software is being created, and the people involved, and in what phases can we work together to make sure security is an integral part of that?”
To listen to this podcast episode with Sebastien Deleersnyder, click here.
Which is right for your business?: BSIMM and OWASP SAMM Compared
Free OWASP ASVS Testing Guide
If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!