Building a Collaborative & Social Application Security Program

Presented at SOURCE Seattle 2017, Oct. 5, 2017, 3:15 p.m. (45 minutes)

In today’s environment there is no arguing that a comprehensive secure development process is necessary. Fitting tools, technology, and security reviews into our current development cycle has become table stakes for companies building the software of tomorrow. Breaking the ”find and fix” vulnerability based assessment cycle so that software is developed with security in mind from start to finish is critically important, but doing this without leveraging a collaborative and social security program that leverages bug bounty programs, security researchers, and every aspect of vulnerability disclosure misses a huge opportunity. In this talk I will explore how your security program can reach beyond the Secure SDLC. We will discuss: Bug Bounty Programs - Why you want to invite security researchers to hack your products Marketing your Security Program - How and why to market your security program. What to say, how to say it, and where to say it for maximum effectiveness. How to Communicate with Security Researchers - What are security researchers expecting in communication, responsiveness, transparency, and time to fix. Vulnerability Disclosure Options - What public vs. responsible disclosure means and how to handle each Integration with an Existing Security Program - You may already be training your developers, using outside vendors, and performing internal security testing, where do these other aspects fit in?


  • Joe Basirico - VP of Services at Security Innovation
    Joe is responsible for leading the Professional Services business at Security Innovation. He leverages his unique experience as a development lead, trainer, researcher, and test engineer to direct the security consulting team in the delivery of high-quality, impactful risk and software assessment and remediation solutions to the company’s customers. His ability to blend deep technical skills with risk-based business and compliance analysis are a powerful combination