1. InfoconDB
  2. OWASP
  3. AppSec USA 2017
  4. Handling of Security Requirements in Software Development Lifecycle

Handling of Security Requirements in Software Development Lifecycle

Presented at AppSec USA 2017, Sept. 22, 2017, 11:30 a.m. (45 minutes)

The bigger the company you're working in, the more technologies and methodologies used by development teams you are going to face. At the same time, you want to address security risks in an appropriate, reliable and traceable way for all of them.   After a short introduction of a unified process for handling security requirements in a large company, the main part of the talk is going to focus on a tool called SecurityRAT which we developed in order to support and accelerate this process.   The goal of the tool is first to provide a list of relevant security requirements according to properties of the developed software (e.g. type of software, criticality), and afterwards to handle these in a mostly automated way - integration with an issue tracker being used as a core feature.   Work in progress (currently targeting mainly integration to other systems, automated testing of requirements and reporting) as well as future plans will form the last part of the talk.

Presenters:

  • Rene Reuter - IT Security Consultant - Robert Bosch GmbH
    René Reuter is a security engineer with over 6 years of experience in the application security field. At Robert Bosch GmbH, he works as an IT Security Consultant responsible for identifying vulnerabilities and design flaws that may impact Robert Boschs' applications and infrastructure. René holds a Master's Degree in Computer Science from the University of Applied Sciences Karlsruhe.
  • Daniel Kefer - Head of Application Security - 1&1 Mail & Media Development & Techhnology GmbH
    Daniel Kefer has been working in the application security field since 2007. Having started as a penetration tester, he soon became passionate about proactive security efforts and working closely with developers. Since 2011 he has been working for 1&1 where he currently leads an internal application security team supporting development teams with security challenges of their work. With OWASP, he leads the SecurityRAT project and contributes to the SAMM project.

Links:

Similar Presentations: