Building a Secure Development Lifecycle from the ground up
I'm wondering if anyone else out there is working on integrating security into their SDLC like I am? Most of the information out there seems to be based on the Michael Howard book "The Security Development Lifecycle". He presented at our Austin OWASP meeting several months ago and his ideas are great (and seem to have had a decent ROI within the MS bounds), but they seem very hard to translate to smaller companies (ie. ones that can't hire 200+ people to form a security team).
Our developers barely follow a loose SDLC so it's extra difficult to try and map that onto some sort of security processes. How do you go about getting the right people to buyoff? What kind of in-house training do you do? Do you do regular design reviews, threat modeling, and attack surface reviews? What about running scanning tools against your web applications before they move to production? Thoughts on whether that stuff is mandatory or overkill? I'm very interested in what others are doing with this stuff especially in relation to PCI DSS, SOX, etc. Thanks!
Our developers barely follow a loose SDLC so it's extra difficult to try and map that onto some sort of security processes. How do you go about getting the right people to buyoff? What kind of in-house training do you do? Do you do regular design reviews, threat modeling, and attack surface reviews? What about running scanning tools against your web applications before they move to production? Thoughts on whether that stuff is mandatory or overkill? I'm very interested in what others are doing with this stuff especially in relation to PCI DSS, SOX, etc. Thanks!
© 2009 Created by pdp on Ning. Create a Ning Network!
