Develop for Security: A “Development Practice” Based On A “Bad Guy’s” Perspective


Description

Most development shops focus on secure coding standards as the basis of their security focus. While coding standards are an excellent reference for developers to refer to, they are “nuts and bolts” and not the blueprint. Relying on secure coding standards alone misses the forest of security issues that crop up during development.

This talk provides and overview to the full spectrum of “develop for security” issues and concerns. Unlike coding standards that are 100’s of pages long, a simple 5X3 “develop for security” format  is presented (5 development concerns, 3 top issues per concern). This format not only encompasses the top “coding” concerns (as presented in our talk, “Coding for Security…”, but also covers the full spectrum 20% development concerns that create 80% of the security issues.

More so, unlike coding standards and other security reference material, it is presented in a simplified format that the average developer can remember and apply daily. This can not be said about coding standards which are often 500+ pages long, or coding security guides. This approach is easily implemented and integrated by any development team. Once it is integrated, 80% of security concerns are mitigated, raising the bar and attacker must hurdle to be successful in their attacks.

Outline

  • Errata
  • Presenters Credentials & Experience
  • Misguided Security Mindsets
  • What’s Broken
  • Why Develop for Security?
  • Pareto Principal
  • Secure Development Focus
  • Bad Guy Wants You To Do
  • Q&A

Formats

This presentation is typically an 1 1/2 – 2 hour talk. It can be compressed into an hour for groups that will limit Q&A. The audience for this talk should include the full set of workers and leaders associated with the development activities of the company.

  • 1 hour Compressed format – Can be done as a Lunch and Learn, or as a single hour conference or other setting presentation format. The audience interactivity will be limited to cover all content.
  • Normal Format (1 1/2 – 2 hours) – Typically conducted in 2, 45 min sessions with a 10 minute break. Audience participation throughout the discussion will be encouraged. More detailed technical questions related to specific development “stacks” can be prepared for specific audiences.