Building an Application Security Program

Learn how to build an effective application security program in this comprehensive conference talk from the Central Ohio InfoSec Summit 2016. Explore various methods of application security, including static and dynamic analysis, and understand the importance of manual verification. Discover the concept of Kaizen for continuous improvement in your security practices. Gain insights on starting small, aligning AppSec with SDLC, and expanding your program effectively. Understand why policies and standards matter, and learn how to influence projects from their inception. Delve into additional considerations such as setting up a quality assurance program and the importance of verifying security measures.

Intro
Disclaimer
The path of least resistance
AppSec Objective The goal of Application Security is to reduce the risks within an application!
Methods of AppSec
Static Analysis (Code Testing)
Dynamic Analysis The objective of performing a dynamic test is to attempt to verify the effectiveness of the secure coding testing This verification step is necessary in order to
Components of AppSec Web Applications
Manual Verification The objective of performing a final manual test is to smoke- test the final product and ensure that any anomalies discovered during prior assessment phases are verified to be closed, corrected, and no longer pose a threat.
Kaizen: Continuous Improvement
Additional Considerations
Start Simple, Start Small The vast majority of companies simply do not understand what many of us (Security People) do.
Why Policies & Standards Matter . During two phases, AppSec will have it's greatest influence: . Project Definition . System Overview Your greatest ability to influence a project starts here - the business does not like surprises - do not tell them at the 11 hour (Implementation) Hey NASA, we have a problem!
Align AppSec with SDLC
AppSec Program Expansion Considerations: . If you do not have a formal Quality Assurance Program, stand one up!
Trust but Verify ...