"If you take the big, monolithic testing effort you currently have at the end, and you push it towards the beginning but it remains monolithic, you're not going to get the dramatic increase in efficiency and decrease in cost you expect. It has to be an incremental effect." -- John Steven One of the things I have recently been investigating is the true cost, the real cost, of security and how that changes based upon where in the application life cycle you are. I was talking with John Steven from Cigital and we agreed it might be good to record our thoughts to see where it leads. "With security, it's not a question of how far left you can get. It's really a question of are you doing the right things at each step." -- John Steven Highlights of our Discussion 00:45 - Source of current graphs on cost of application security 03:45 - How can you prove cost savings when including security earlier in the application life cycle 06:30 - Process vs technology 07:45 - How early in development should security be inserted 09:25 - Incremental security within the development process 12:17 - How do you measure the effect and efficiency of moving left About John Steven John Steven, Internal CTO John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction to many multi-national corporations, and his keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, and led the Northern Virginia OWASP Chapter. John contributed to the Hacking Exposed Mobile book, and speaks with regularly at conferences and trade shows.
"If you take the big, monolithic testing effort you currently have at the end, and you push it towards the beginning but it remains monolithic, you're not going to get the dramatic increase in efficiency and decrease in cost you expect. It has to be an incremental effect." -- John Steven One of the things I have recently been investigating is the true cost, the real cost, of security and how that changes based upon where in the application life cycle you are. I was talking with John Steven from Cigital and we agreed it might be good to record our thoughts to see where it leads. "With security, it's not a question of how far left you can get. It's really a question of are you doing the right things at each step." -- John Steven Highlights of our Discussion 00:45 - Source of current graphs on cost of application security 03:45 - How can you prove cost savings when including security earlier in the application life cycle 06:30 - Process vs technology 07:45 - How early in development should security be inserted 09:25 - Incremental security within the development process 12:17 - How do you measure the effect and efficiency of moving left About John Steven John Steven, Internal CTO John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction to many multi-national corporations, and his keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, and led the Northern Virginia OWASP Chapter. John contributed to the Hacking Exposed Mobile book, and speaks with regularly at conferences and trade shows.