180 likes | 291 Views
An End to Testing Ourselves Secure?. Why I’m Here. Ground Rules. This is a presentation discussion. Let other people speak!. 15 minute time-boxed discussions, revisit parked issues at the end. Framing the Problem. Where we find flaws today. Highest ROI. Look familiar?.
E N D
15 minute time-boxed discussions, revisit parked issues at the end
Where we find flaws today Highest ROI Look familiar? Relative cost to fix, based on time of detection Source: NIST
Discussion Question 1:Is there a problem with relying primarily on verification? Isn’t static analysis a “good enough” solution?
Discussion Question 2:Can we effectively scale training, threat modeling?
Discussion Question 3:Can we effectively scale security requirements?
“Incompetent developer” challenge • “Security is special” challenge • Domain-specific vs. domain-agnostic • Fitting a square peg into a round hole Cultural Challenges to Secure SDLC