Edward van Deursen

Securesult B.V. (The Netherlands)
Lecture

Moving from DevOops to DevSecOps – Practical integration of Security-by-Design

Are you developing or maintaining an application/system and is there a lack of security requirements? Do you get security requirements of your Security Office and don’t know what they mean? And if you have security requirements, do you know how to test (automate) them?

We see organisations struggle with implementation of Security-by-Design in the development and maintenance processes. Result is an application that isn’t secure. In a security test at the end of the development cycle is identifying vulnerabilities, which could be omitted when the right processes and steps were taken. Security is bolted on at the end, in stead of integrated from the start.

In this presentation we first analyse why implementation of security requirements in applications isn’t that successful as it could be.

Second we give a practical method to identify security requirements, when they were not defined by the business or security department. This method is based on the 6 ways a hacker can compromise a system. This method will help you to make abuser stories and misuse stories.

And we finish with a practical set of security requirements in the form of logical test cases, which could be tested by every team member. This set is generic and simple to automate.

In the presentation we will make links with Safety-by-Design.

Take aways:

  • Lessons learned how Security-by-Design can be integrated
  • A practical set of security requirements and test cases to start with DevSecOps

Edward van Deursen bought his first computer in the 80’s, a Commodore64. That’s where his passion for computers begun. In the late 80’s he started his career as a Cobol programmer on mainframes and mini systems. Later he developed software in C/C++ for PC’s. In 2006 he swapped to QA with roles like tester, test manager and QA manager. In these roles, he discovered that most product owners are focused on functionality and not on performance and security. Edward started a security test team within the organisations he was working for.

Edward is founder of Securesult. He is coaching DevOps teams to get more and better security and privacy requirements to implement these requirements into the IT systems.

Edward van Deursen is an Information Security & Privacy Management Coach and an Ethical Hacker.