Secure Application Development
Home faculty program location registration subscribe related past events	Getting a buy-in to a secure development process Learning objectives This session examines the effectiveness of the measures proposed in the secure development processes that have emerged in the last couple of years. It aims to reach consensus amongst participants on simple, actionable advice for improving the security of applications delivered by development teams. Overview The insecurity of software application is at best embarrassing, at worst a threat to a society that continues to rapidly increase its reliance on software. A number of organizations are attempting to stem the tide of software vulnerabilities by adding activities to the software development life cycle that focus on security aspects. Notable processes are Microsoft's SDL, OWASP's CLASP, Cigital's touchpoints process. Their core ideas and practices are debated in affinity groups: testers, architects, project managers and programmers. People are encouraged in this part of the session to narrowly focus their attention on the vantage point of the function they choose when they join an affinity group in order to ensure that we examine the proposed measures from all perspectives. Each group is requested to select 2 or 3 measures that they would like to adopt in their team and provide a plan for their introduction. These proposals are subjected to critical scrutiny by the other teams in bi-lateral discussions, i.e. teams discuss in pairs. Proposals are subsequently refined. In this phase, the functional vantage point of the affinity group is relaxed. Participants are explicitly encouraged to modify the elements of the existing processes as they see fit and/or to add others. The resulting proposals are then taken to a plenary session.

Secure Application Development

Getting a buy-in to a secure development process

Learning objectives

This session examines the effectiveness of the measures proposed in the secure development processes that have emerged in the last couple of years. It aims to reach consensus amongst participants on simple, actionable advice for improving the security of applications delivered by development teams.

Overview

The insecurity of software application is at best embarrassing, at worst a threat to a society that continues to rapidly increase its reliance on software. A number of organizations are attempting to stem the tide of software vulnerabilities by adding activities to the software development life cycle that focus on security aspects. Notable processes are

Microsoft's SDL,
OWASP's CLASP,
Cigital's touchpoints process.

Their core ideas and practices are debated in affinity groups: testers, architects, project managers and programmers. People are encouraged in this part of the session to narrowly focus their attention on the vantage point of the function they choose when they join an affinity group in order to ensure that we examine the proposed measures from all perspectives. Each group is requested to select 2 or 3 measures that they would like to adopt in their team and provide a plan for their introduction. These proposals are subjected to critical scrutiny by the other teams in bi-lateral discussions, i.e. teams discuss in pairs.

Proposals are subsequently refined. In this phase, the functional vantage point of the affinity group is relaxed. Participants are explicitly encouraged to modify the elements of the existing processes as they see fit and/or to add others. The resulting proposals are then taken to a plenary session.