“Secure SDLC Speed-run” presented at BSidesPerth 2018

by Matt Jones,

Summary : Writing software comes with a lot of challenges – different industry trends and ways of working, legacy stuff to factor in, then there’s all the constraints along the way as deadlines approach.Writing *secure* software then has its own set of challenges. The industry has in some ways evolved well past the old approach of waterfall style projects with a penetration test at the end where people grumble risk acceptance. There’s a variety of security assurance approaches various types of organisations use with varying success at different phases of a software projects.In reality though, there’s a lot of considerations to be made on a case by case basis to ensure energy is used wisely, the right people are rationalising threats you may or may not face, and you mature things incrementally factoring all of this in.This presentation will:0) Quickly introduce Secure Development Lifecycles1) Talk through managing threats for code you build on versus code you write2) Run-through a bunch of examples, i.e. eradicating entire vulnerability classes, understanding technology edge-cases, catching low-hanging fruit yourself, getting defence in depth stuff in your requirements/design, how some security activities can be part of your internal QA, how to setup a vulnerability disclosure process, and whatever else we can squeeze in.3) How to best scope and engage third-party security assurance4) A tonne of decent resources for you to learn more