Ah mom, why do I need to eat my vegetables?

Presented at AppSec USA 2015, Sept. 24, 2015, 2 p.m. (55 minutes)

Mom had a good reason for you to eat your vegetables; same thing goes with Application Security. It's the good solid meat and potatoes (and broccoli) that help our programs grow up big and strong. The latest software development practices are out pacing traditional application security programs. Agile and DevOps are increasing the speed and frequency of development and deployments. Traditional application security is either slowing the process down or being bypassed; neither path is good for business. Security must be integrated into the process so that it is not an afterthought that inhibits the release of new features and fixes, but rather an expectation set up front.

Does your organization have unlimited resources? Of course not, you need to know where (and how) to spend the limited resources that are available to you. If you have an unknown number of applications with unknown levels of risk; how do you know which ones you should spend your limited time and resources on (and to what level of effort)? This critical understanding of the security stature of an application is not possible without a solid secure development program.

You hear the terms "proactive application security" or "earlier in the SDLC" often where someone is talking about how they managed to get pen testing or code review earlier in the testing cycle. This is an all too common pitfall in Secure Development and is often bypassed when seen as an impediment to delivery. There is a lot of time and money spent on the post-code activities: code review, functional testing, vulnerability assessments, and penetration testing. These are crucial activities for validating the current state of the application; but they are simply too late and too slow by themselves.

If you security team is only searching for vulnerabilities, they are not looking at the big picture; and they are doing your developers a disservice. Your developers are being held to security requirements that were not part of the original application design. Before you get to a security assessment, you need a line of sight from the potential threats to the application, through the resulting security requirements, the design/architecture, and how the design incorporated security controls at the right levels to help mitigate those identified threats.

Hear about what's worked and not worked for different organizations in both the public and private sectors over several years of building secure development programs. There will be a focus on understanding the key components of a successful Secure Development Program, along with the critical differences when integrating with development life-cycles like Waterfall and Agile, and DevOps. See how secure development can feed your Risk Management Framework and other key initiatives and learn how a Secure Development Program may even justify its own existence.


  • John Pavone - CEO - Aspect Security
    As a proven leader and IT professional, John has concentrated solely on security for the last 20 years, holding various security leadership positions including VP of Application Security Program Services, Application Security Program Manager and Enterprise Security Architect. John is a frequent speaker/instructor at major conferences such as OWASP, BlackHat, FS-ISAC, and SecureGov. John's key accomplishments include establishing Aspect's Application Security Programs consulting practice, managing enterprise-wide IT security programs, implementing enterprise identity and authorization systems and automating secure development processes and tools. John designed and implemented secure architecture and supporting processes for some of the most critical and complex systems across industry sectors including Financial Services, Central Banking, Government Agencies, US Treasury, and Transportation. John holds dual degrees in Mathematics and Computer Science from West Chester University.


Similar Presentations: