20. “We found that blockages at the end
of the project were much more
expensive than at the beginning - and
InfoSec blockages were among the
worst”
Justin Arbuckle
21. “By having Infosec involved throughout
the creation of any new capability, we were
able to reduce our use of static checklists
dramatically and rely more on using their
expertise throughout the entire software
development process.”
Justin Arbuckle
28. Defect Tracking & Post Mortem
Security issues in work tracker:
Visibility ++
Priorities ++
Security issue -> post mortem
Rework - -
Team knowledge ++
29. Preventive security controls
Provide security libraries or services that
every modern application or environment
requires
Place them in a central location, easily
accessible to anyone
35. Security of software supply chain
“The typical organization uses 18,614
external software parts. Of those
components being used, 7.5% had known
vulnerabilities, with over 66% of those
vulnerabilities being over two years old
without having been resolved.
Sonatype 2015 State of the software supply chain report
37. Security and monitoring
“Year after year, in the vast majority of
cardholder breaches, organisations
detected the security breach months or
quarters after the breach occurred. Worse,
the way the breach was detected was not
an internal monitoring control, but was far
more likely someone outside of the
organization”
Marcus Sachs (Verizon data breach researcher)
38. Security and monitoring
• Set up central monitoring and make it
easy to use
• Application level
• Environment
39. Security and monitoring: etsy example
• abnormal process terminations
• internal server errors (500)
• database syntax error
• indication of sql injection attacks (UNION
ALL)
40.
41. “Nothing helps you understand how hostile
the operating environment is than seeing
your code being attacked in real-time.”
Nick Galbreath