SPLC as a Service

Presented at AppSec USA 2017, Sept. 22, 2017, 11:30 a.m. (45 minutes)

A Secure Product Lifecycle (SPLC) is integral in ensuring software is written with security in mind, but companies struggle to create a successful process with limited security resources and minimal impact to engineering teams. This session will discuss lessons learned, soup-to-nuts, through the process of designing, rolling out, and measuring a scalable SPLC.   In Adobe's Digital Marketing business unit, two security analysts created a successful program that has scaled to support thousands of engineers. Defining security requirements and KPIs for engineering teams is just the first step in creating the SPLC. In order to make the design a reality for several products, thousands of engineers, and millions of lines of code, we organized our team into an ‘as a service' model and utilized automation to scale to meet this demand. Establishing a strong security ambassador program helped ensure the success of the SPLC. The centralized ambassador network has been crucial to the success all product security initiatives throughout the business unit. We will give examples of how ambassadors have assisted with incident response, driven training and security culture initiatives, and have championed security-related projects on their individual team.   We will explore a case study of one of our most successful SPLC-driven programs - static code analysis. By fully automating the process from code check-in to delivery of results, we achieved 100% buy-in from all engineering teams in the Digital Marketing business unit. The process was designed to have minimal impact on the engineering teams, and to be integrated into their existing workflows, allowing for a very low-overhead program that adds value. The engineers code and commit as they normally would. On the backend, our static code analysis engine is scanning and will inject any findings into their existing bug-tracking system.   You will walk away from this talk with on-the-ground knowledge to establish an effective SPLC by establishing and utilizing security ambassadors and providing seamless automation to support these key initiatives.

Presenters:

• Julia Knecht - Manager, Security & Privacy Architecture - Adobe
  Julia Knecht manages Product Security and Privacy Architecture at Adobe. She created and is responsible for the Secure Product Lifecycle of Adobe's Experience Cloud Business. An integral and invaluable piece of the Secure Product Lifecycle is her Security Champions program, which has been running successfully for three years.
• Taylor Lobb - Manager, Security and Privacy - Adobe
  Taylor is responsible for vulnerability detection and remediation for Adobe's Digital Marketing Business. In addition to leading a team of penetration testers, Taylor has designed and successfully automated vulnerability detection systems that support all of Digital Marketing engineering.

Links:

• https://appsecusa2017.sched.com/event/B2WZ/splc-as-a-service
• https://infocon.org/cons/OWASP/AppSecUSA 2017/Secure Product Lifecycle (SPLC) as a Service.mp4

Similar Presentations:

• Black Hat USA 2019 / Every Security Team is a Software Team Now
• AppSec USA 2015 / Security as Code: A New Frontier
• Black Hat USA 2010 / Security is Not a Four Letter Word