Lessons Learned Implementing SDLC – and How To Do It Better presented at Notacon 2014

by Sarah Clarke,

Summary : Developers and Quality Engineers are wonderful people who understand how to create, test, and validate features. They frequently aren’t, however, educated in school on architecting applications to prevent security failures, coding to not introduce security bugs, and testing to validate secure functionality.
The language of development – features, releases, agile – is not the same as security – XSS, CSRF, managing session state.
We have to communicate better with our developers and QEs, to inspire them to care, in their language; we have to work with senior management to identify how security fits into their needs to get buy-in and support.
This is a discussion on how that communication works best; overcoming cultural sticking points, and iterating through creating a process that creates better code without slowing down business.