Hi, here is the presentation I delivered last week at OWASP's AppSec Brazil conference: OWASP Brazil - Making Security Invisible by Becoming the Developer's Best Friends
I think I was able to capture how security tends to be seen by developers, how it is currently a TAX on the SDL and how we need to move Application Security into the 'application visibility' space so that we add value to the entire SDL (and create a positive model where the developers want to engage with us)
After you read the presentation, check out this video which I recorded also in Brazil: A developer's rant about security professionals (he was one of the developers that was at the audience which really related to the problem of receiving security guidance from security 'consultants' that don't understand his app).
The demos showed how O2 allowed this world to exist :)
Let me know what you think of it.
(info also at my blog http://diniscruz.blogspot.com/2011/10/my-presentation-at-owasp-appsec-brazil.html)
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
Making security invisible by becoming the developer's best friends (Owasp AppSec Brazil Nov 2011)
1. The OWASP Foundation
http://www.owasp.org
Making Security Invisible by
Becoming the Developer's
Best Friends
OWASP AppSec Latam 2011 (Brazil)
Dinis Cruz
dinis.cruz@owasp.org
2. Dinis Cruz
Long-time OWASP contributor
OWASP O2 Platform (project)
OWASP Seasons of Code
OWASP Summits (2008 & 2011)
OWASP Training Days
OWASP Books
Helped multiple chapters and conferences
Multiple tools & research at OWASP .NET
Setup Application Security Team at Global Bank
Performed Security Reviews (White and Black box) on 100s of apps
Credited for vulnerability on .NET Framework and vulnerability on Spring MVC
Worked for OunceLabs (now IBM AppScan Source) and made it work
Didn’t joined IBM (after OunceLabs acquisition) and spent 18 months rewriting the
OWASP O2 platform (and making my vision a reality)
Currently at Security Innovation (Boston/Seattle company)
3. Dinis @ Security Innovation
Responsible for the TeamMentor product
i.e. I’m shipping code
SI is going to Commercially Support the
OWASP O2 Platform
with a focus on findings-automation and security-tools-integration
SI is a strong OWASP Supporter
Silver sponsor at AppSec USA
published OWASP TeamMentor Library under CC (Creative Commons)
published OWASP Top 10 e-learning course under CC
helping the clarify the commercial relationship with OWASP’s ecosystem
Sponsored me to come here
3
87. One where ‘Application
Security’ practices are
invisible/transparent to
99% of the parties
involved
(the 1% are the ones directly involved in security, such as
security teams, devs,architects, CISO, etc...)
79
88. but before we get to
the solution, lets set the
stage....
80