Thoughts from the Ed TALK panel: Fast-Tracking Software Security

Thoughts from the Ed TALK panel: Fast-Tracking Software Security

Ed Adams Ed Adams

Ed Adams

发布日期: 2021年1月14日
+ 关注

Thinking back on yesterday’s Ed TALKS panel, which featured Dinis Cruz, Sasha Rosenbaum, and Seba Deleersnyder, a few concepts came to light from our conversation. 

Application security *is* more difficult than other areas of security

Both Dinis and Seba agreed wholeheartedly that software security is more difficult because one needs to have a background as a developer to be effective in application security. Sasha didn’t agree as much, taking the ever-positive approach that you can accomplish whatever you want to. However, the panel confirmed that this particular area -- software security -- is more challenging than other areas of cybersecurity.

Threat modeling *absolutely* has a place in CI/CD

I went into this talk knowing that Sasha was huge in DevOps, and Dinis is huge in speed (how he talks, how he develops, and how he pushes his team), so I was fully expecting them to say that threat modeling has no place in modern software development because it slows things down too much. I was also expecting Seba to counter their statements, knowing he's a threat modeling instructor. It turns out all three panelists agreed that threat modeling ABSOLUTELY has a place in a continuous integration/continuous deployment model, and DevOps, and Agile. That really surprised me. I was thrilled to hear it, of course, as I too am a big fan of threat modeling. Dinis went so far as to say that threat modeling enables the speed of DevOps because it tells you where you need more human attention and where you can automate.

Security Champions FTW! 

I didn’t expect this - all the panelists agreed on the idea of security champions in a positive way, even when I suggested that Gartner recommends the idea (security professionals often run counter to what ivory tower analysts suggest.) Everyone was a huge proponent of security champions. Dinis said it was the cheapest and fastest way to scale your security team, which I found pretty interesting. Sasha was behind the concept whole-heartedly, especially the hands-on capture-the-flag (CTF) activities recommended by Gartner. She said a CTF was part of her origin story in security. Having taken part in a CTF as a developer, she thought to herself, "Oh my! How many of these vulnerabilities have I pushed into production?" That’s precisely the kind of awareness that we, as an industry, are trying to build in the development community. Dinis said it succinctly, "I don't want my developers to be security experts; I just need them to be AWARE of it." He further said that security can (should) be a driver for the overall quality of software. I was happily surprised we spent so much time diving deep into the benefits of security champions. I had a whole sheet of questions we never even got to!


要查看或添加评论,请登录

Ed Adams的更多文章

社区洞察

其他会员也浏览了