File:OTD2011-BJ.pdf

Bruce Jenkins - How to Defend the Universe from Evil-doers: A Guide for Software Developers and Security Teams

Software security is often a bolt-on afterthought for dealing with potentially serious yet non-functional product issues. However, software developers frequently have neither the time nor inclination to deal with anything but functional enhancements and bug fixes identified in their defect tracking system. The Security Group, having a corporate mandate to “secure the enterprise,” unmercifully throws at the Dev Team an enormous list of non-actionable “issues” derived from dynamic and static security testing. The Project Lead is naturally and legitimately concerned about release schedules, which are now understandably threatened by unfocused approaches to security issue identification and mitigation. Add to this a mixture of overt distrust and skepticism between the Security Group and software developers, and organizations are left with a pile of suspected security issues and no resolution in sight. The CISO, meanwhile, could not care less about minutia such as Cross-Site Request Forgery, but instead is focused on reducing business risk.

“Status quo” or “save the day”? The answer is obvious, but getting there is easier said than done. This presentation outlines the dysfunction common in organizations attempting to tackle software security assurance. The message ultimately focuses on what developers and security teams alike can do to lift themselves out of the quagmire in support of their C-level, who is endeavoring to prevent the next TJX- or Heartland-like security event.