A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Lessons Learned from Implementing Software Security Programs - Todd Grotenhuis (Circle City Con 2015 Videose 2015) (Hacking Illustrated Series InfoSec Tutorial Videos)

Lessons Learned from Implementing Software Security Programs
Todd Grotenhuis

Circle City Con 2015

A common approach to securing software is to try to break software after it has already been made available to the customer or to the public (or, in slightly-more-proactive environments, doing software security testing just prior to code release). While this type of validation is important, it is incomplete and inefficient as a lone software security control. To make significant and sustainable changes to the security of software, we need to push left in the development lifecycle, incorporating activities like Security Training, Threat Modeling, Secure Engineering, and SDLC-Integrated Security Analysis. In this talk, I will share lessons-learned from implementing these types of programs at small and large enterprises. What kind of ground work do you need to do? How do you work with developers who aren't already trained in security? What types of questions should you be asking when selecting tools and processes? How can automation and metrics serve you? What are some of the major pitfalls and concerns? How do you make sure there is strong adoption of the security process enhancements? We'll talk about these questions and more, as we look at how to enhance software security programs.

Bio: Todd is the Application Security Practice Lead at Pondurance and has more than a decade of experience in information security. He has built application security programs and secure application development guidelines for large organizations including WellPoint and Liberty Mutual. His role at Pondurance is focused on helping clients secure their software and web applications through manual, dynamic, and static testing; implementing security in the development lifecycle; threat modeling and secure application architecture; developer and security training; security vulnerability remediation guidance; adherence to and customization of models such as the Software Assurance Maturity Model; and application security testing tools selection, implementation, and adoption. Todd attended Rose-Hulman Institute of Technology where he graduated Cum Laude and earned his Bachelor of Science in Computer Science. He is a GIAC certified Web Application Penetration Tester (GWAPT) and a Certified Information Systems Security Professional (CISSP).

Back to Circle City Con 2015 Videos list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast