Training
Requirements
Design
 Core security training
 Establish security requirements
 Analyze security & privacy risk
 Define quality gates & bug bars
 Establish design requirements
 Attack surface analysis
 Threat modeling
Implementation
 Specify tools
 Enforce banned functions
 Static analysis
Verification
 Dynamic/fuzz testing & analysis
 Verify threat models & attack surface
Release
Response
 Incident response plan
 Final security review
 Execute incident response plan
Goals:
Principles:
•
•
•
•
Protect customers
• Reduce the number of vulnerabilities
• Reduce the severity of vulnerabilities
An undetected
software
requirement
defect can cost 50
to 200 times as
much to fix when
discovered later in
the development
or postdevelopment
process.
One hour of
software QA
activities can save
between 3 and 10
hours of postrelease
remediation work.
A defect found
and fixed during a
code review
would cost 10 to
100 times as
much to fix when
discovered later in
the development
or postdevelopment
process.
Prescriptive, practical, proactive
Eliminate security problems early
Secure by design