Estimating Development Security Maturity in About an Hour

Explore a comprehensive conference talk from BSides Detroit 2017 that delves into estimating development security maturity in approximately an hour. Learn about three example stories, pre-meeting research techniques, and how to effectively meet with development teams. Discover key behaviors to look for, training approaches, threat modeling strategies, static and dynamic analysis methods, and scoring methodologies. Gain insights into reporting back, tips and tricks, and understand the differences between various security maturity models. Apply the knowledge gained to enhance your ability to assess and improve development security maturity efficiently.

Intro
NOT FOR NOOBS
THREE EXAMPLE STORIES
METHOD OVERVIEW
PRE-MEETING RESEARCH
MEET WITH THE DEVELOPMENT TEAM
DEVELOPMENT MEETING SAMPLE AGENDA
DEVELOPMENT MEETING WARNING SIGNS
FIVE KEY BEHAVIORS
WHAT TO LOOK FOR IN EACH
TRAINING: OPENERS
TRAINING: POSITIVES AND NEGATIVES
TRAINING: WARNING SIGNS AND EXITS
THREAT MODELING: OPENERS
THREAT MODELING: POSITIVES AND NEGATIVES
THREAT MODELING: WARNING SIGNS AND EXITS
STATIC ANALYSIS: OPENERS
STATIC: POSITIVES & NEGATIVES
STATIC: WARNING SIGNS AND EXITS
DYNAMIC ANALYSIS: OPENERS
DYNAMIC: POSITIVES AND NEGATIVES
DYNAMIC: WARNING SIGNS AND EXITS
V&IR: POSITIVES AND NEGATIVES
SCORING METHOD
REPORT BACK
TIPS & TRICKS
IS AND ISN'T
BUILDING SECURITY IN MATURITY MODEL
OPEN SOFTWARE ASSURANCE MATURITY MODEL
FOR JUST A FEW HOURS MORE
SUMMARY
APPLY WHAT YOU HAVE LEARNED TODAY