January 28, 2020

363 words 2 mins read

Integrating security into modern software development: A workflow study

Integrating security into modern software development: A workflow study

Application security testing has been around for a long time, yet successful attacks continue despite significant investments in application security. Shift left isnt enough for modern software development that needs integrated and automated continuous security testing. Lucas Charles looks at three key considerations to get you there.

Talk Title Integrating security into modern software development: A workflow study
Speakers Lucas Charles (GitLab)
Conference O’Reilly Open Source Software Conference
Conf Tag Fueling innovative software
Location Portland, Oregon
Date July 15-18, 2019
URL Talk Page
Slides Talk Slides
Video

Application security testing has been around for a long time, yet successful attacks continue despite significant investments in application security. And we shouldn’t be surprised when we’re applying testing tools developed more than 12 years ago to software development methods only made commonplace in the last 3–5 years. In addition, application security is least understood and often takes a back seat to perimeter and endpoint security. At the same time, there’s a misconception that the cloud provider takes care of all the security, and few people have considered new attack surfaces introduced by containers and orchestration. Tesla showed us the fallacy here. Traditional application security testing has been targeted to security professionals and is regarded as a separate process from development. This separation and delay creates friction in the process, with many trade-offs required. In an effort to improve application security testing, the new chant has been “shift left” to remove more vulnerabilities earlier and empower the developers. Lucas Charles examines the shortcomings of most shift-left efforts and how cloud native environments, Agile DevOps processes, and minimum viable products with rapid iteration wreaks havoc on traditional security methodologies. He dives into how to bring security into DevOps while avoiding a complex DevOps toolchain that must be integrated with security testing and explores new ways of thinking of app security to turn the industry on its head by using concurrent DevOps—a method that makes it possible for product, development, QA, security, and operations teams to work at the same time. You’ll learn the three key requirements of your application security process needed to get you onto the road of an efficient and secure software development lifecycle (SDLC).

comments powered by Disqus