AppSec California 2017

This talk highlights important lessons in scaling the software security touchpoints described in the book Software Security and making them work efficiently and effectively in a global software security initiative.  The talk will focus on the top three touchpoints, discussing tools, technology, people and processes for each:

• Code review with a static analysis tool.  What is better, a centralized factory model or tools on all developer’s desktops?  How do you set things up to fix what you find?  How do you avoid rejection of a complex toolset that requires real expertise to use?  What about frameworks that are in common use but stymie current commercial tools?  Are false positives a real issue?
• Architectural risk analysis. How do you even begin to scale something requiring so much expertise and experience to the enterprise?  What kinds of knowledge make this process more efficient?  How do you gather intelligence about threats?  What are the top ten security design flaws?
• Penetration testing.  What role should pen testing play in a software security initiative?  Is it best to develop capability in house or hire outside experts?  What kinds of access to design documents and source code should pen testers get?  Does pen testing scale?  How often should an application be tested?

These questions and others will be addressed head on using examples from the 95+ BSIMM firms and many years of real world experience.  (Firms in the BSIMM include, Adobe, Aetna, ANDA, Autodesk, Axway, Bank of America, Betfair, BMO Financial Group, Black Knight Financial Services, Box, Canadian Imperial Bank of Commerce, Capital One, Cisco, Citigroup, Citizen’s Bank, Comerica Bank, Cryptography Research, Depository Trust & Clearing Corporation, Elavon, Ellucian, EMC, Epsilon, Experian, F-Secure, Fannie Mae, Fidelity, Freddie Mac, General Electric, Highmark Health Solutions, Horizon Healthcare Services, Inc., HP Fortify, HSBC, Independent Health, iPipeline, JPMorgan Chase & Co., Lenovo, LGE, LinkedIn, Marks and Spencer, McKesson, Morningstar, Navient, NetApp, NetSuite, Neustar, Nokia, NVIDIA, NXP Semiconductors N.V., Principal Financial Group, Qualcomm, Royal Bank of Canada, Siemens, Sony Mobile, Splunk, Symantec, Target, The Advisory Board, The Home Depot, The Vanguard Group, Trainline, U.S. Bank, Visa, Wells Fargo, and Zephyr Health.)