Everyone loves cheese right? This talk will apply the swiss cheese model to Application Security, each cheese slice is a security activity in the Secure Software Development Lifecycle. Each is a layer of the defenses there to reduce the risk of threats becoming reality and to prevent vulnerabilities from various sources making their way into production systems.
Covering about how threats might still slip through, what might move the slices making the holes align or new ones appear so a vulnerability slips through by looking at some of the limitations of each activity. What could be the next slice of cheese that might catch the vulnerability and avoid an incident later in the development lifecycle. Share some of my experience in understanding when to do each activity and the problems I've previously encountered in working with development teams to introduce application security programs. Telling a story of some of the things I have seen work in practice, some that haven't worked so well and questions that often come up when planning and implementing a set of security activities. It's not a one size fits all, some activities will suit individual contexts better than others. How layering is key both to provide defense in depth but also to enable a gradual rollout as the activities cost both effort and money.