Security Model Bedfellows

Explore a comprehensive case study from BruCON Security Conference on integrating security, legal, and procurement teams to enhance software security. Learn how one of the UK's largest online retailers implemented contractual obligations for vendors and service providers to address vulnerabilities before software launch. Discover a three-step action plan and framework for engaging legal and procurement in the security process, resulting in more secure software and improved visibility into partner development lifecycles. Gain insights into effective security controls, contract language examples, and strategies for dealing with vendor behavior. Understand the benefits of this approach in preventing costly post-launch fixes and reducing enterprise and customer risk.

Intro
Layer 9 Security Controls
The Agenda
The Reality
Broken Security
The Situation
Example Problem
What We Need We need
The Solution: Buckets
Bucket: Hosting Stuff
Bucket: Bespoke Development
Bucket: COTS / SaaS
What Does It Mean To Be In A Bucket?
Example Contract Language Infrastructure
Guidance To Legal/Procurement
Example Vendor Bad Behaviour
Worked Example
We Don't Win Every Point
Quid Pro Quo
Layer 9 Attack and Defence
Doing It Yourself