- Forum 12
Whether you work at a software editing or at a software-consuming organization, there is a high probability that you have approached security by combining penetration testing with devops security training. While these two activities may sound sufficient in many environments, they remain subject to limitations that highly decrease an organization's ability to identify and fix problem when they are still "cheap". For example: What if the application gets updated frequently? What if the penetration testers forgot to perform some tests? What if your application was tested by a "junior tester" or was simply tested under a very short timespan? What if your organization doesn't actually know the development team? (outsourcing scenarios) etc. During this session, we will consider several web application project scenarios (in-house development, outsourcing, COTS acquisition, external hosting) and decompose these projects into smaller chunks. We will observe each phase of the systems development lifecycle (SDLC) and the software acquisition process (SAP), and see what the security industry currently offers to either "build" (doing things correctly), "control" (verifying what was done) or "defend" (dealing with insecure software in your environment). Target audience: Decision makers, stakeholders, procurement, project managers, architects on web applications projects. Technical knowledge about web development is not required.