Edward van Deursen
Securesult B.V. (The Netherlands)
Moving from DevOops to DevSecOps – Practical integration of Security-by-Design
Are you developing or maintaining an application/system and is there a lack of security requirements? Do you get security requirements of your Security Office and don’t know what they mean? And if you have security requirements, do you know how to test (automate) them?
We see organisations struggle with implementation of Security-by-Design in the development and maintenance processes. Result is an application that isn’t secure. In a security test at the end of the development cycle is identifying vulnerabilities, which could be omitted when the right processes and steps were taken. Security is bolted on at the end, in stead of integrated from the start.
In this presentation we first analyse why implementation of security requirements in applications isn’t that successful as it could be.
Second we give a practical method to identify security requirements, when they were not defined by the business or security department. This method is based on the 6 ways a hacker can compromise a system. This method will help you to make abuser stories and misuse stories.
And we finish with a practical set of security requirements in the form of logical test cases, which could be tested by every team member. This set is generic and simple to automate.
In the presentation we will make links with Safety-by-Design.
- Lessons learned how Security-by-Design can be integrated
- A practical set of security requirements and test cases to start with DevSecOps
Edward is founder of Securesult. He is coaching DevOps teams to get more and better security and privacy requirements to implement these requirements into the IT systems.
Edward van Deursen is an Information Security & Privacy Management Coach and an Ethical Hacker.