It was truly a pleasure to speak at StarEast 2014 in Orlando, FL. While primarily focused on testing and quality assurance, the conference organizers were kind enough to let me speak about including security concepts as part of the software development lifecycle. With the complexity of software today, I think it’s important that we don’t look at security as something that has to be bolted on at the end of the SDLC just before code goes into a Production environment. I also think it’s important that we don’t expect all developers to know everything that us “security guys (and gals)” know about security. The same concept of Defense in Depth that we use when protecting assets also applies to software development. By adding security in the beginning (design, development patterns, training), the middle (testing, QA), and the end (penetration testing, application scanning), we build a more secure process and therefore a more secure product.
I feel that the audience at my talk was receptive to this and interested in how to make it practical. That, to me, is the greatest of compliments! I’ve added a few links below that may help turn the concepts that I spoke about into actionable work.
OWASP discussion on misuse stories that can be used for misuse cases: https://www.owasp.org/index.php/Agile_Software_Development:_Don’t_Forget_EVIL_User_Stories
SAFECode document on security-related Agile user stories: http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf
Great article on misuse cases: http://perceval.gannon.edu/xu001/teaching/shared/re_eng/termpaper/readingList/ElicitingSecReq_MisuseCases.pdf