Embrace DevSecOps | ESM part 6

Concept of purple teaming is something I felt in love with many years ago when I was experimenting with various ways to make myself more effective. Everything has changed — in a good way — when I started embracing culture of collaboration where attackers and defenders work together to create best possible way of securing the products.
We’re out there to help secure business by working with all stakeholders, not to just pwn stuff and laugh at people who made a mistake. Being a pwn-all-the-things rockstar asshole is overrated and while fun in short term, gives terrible results long-term.
Purple teaming for the win and let’s see how this great concept can be applied into day to day business operations that go beyond security red and blue teaming. Continue reading “Embrace DevSecOps | ESM part 6”

Make security simple | ESM part 5

 

Simplify it for them

Security is often perceived as complex and cumbersome which makes engineers unwilling to work on it. In order to get things done you need to simplify and carefully explain your requirements.
Strive to make it easier to build secure products because cheaper it is to add security, more likely it’ll get included into SDLC.
You need to take an ownership over the processes and simplify the frameworks, knowledge base and other resources so they are easy to consume and use. Continue reading “Make security simple | ESM part 5”

Outline SDLC/NDLC improvements | ESM part 4

 

Make it clear that security is a cost like any other in SDLC

Security shouldn’t be seen as “addition” to the product development. It’s a part of it like all other activities and can be counted as a part of Quality Assurance, because nowadays customers demand high quality products and safety is one of elements defining quality.

Middle-management is more eager to spend resources on security, when they perceive it as a regular, necessary cost of software development, because there is never enough money and time to invest in “additional” activities. Security is often perceived as a no-ROI time-waster which adds complexity and slows down development process. Unless you explain how and why security is important you’ll have tough time pushing security related changes into existing SDLC. Continue reading “Outline SDLC/NDLC improvements | ESM part 4”