As engineers, our goal is to deliver new features to the product, bringing clear value to customers. All of our KPIs and tools are built around facilitating exactly this; how to write quality code while increasing our delivery velocity. Security doesn’t naturally fit into what we do on a daily basis. Or does it?
When we’re breached, everyone cares, from the CEO all the way down to the development teams, and it’s clear that we need to adopt security and AppSec measures to safeguard our software in the future, but it’s unrealistic to expect developers to easily work within AppSec and CyberSecurity tools or to sacrifice development velocity to increase the security posture.
This talk will lay out a framework for AppSec and security leaders to communicate and facilitate security adoption by engineering teams and more importantly, emphasize ways to build security best practices into the development process holistically.
A bit of what I’ll cover:
1. Translating security to development -
- Going from a vulnerability bug list to ownership of the harmful vulnerabilities in their code can do.
- Tying together engineering and security KPIs.
- Stakeholder cooperation between SecOps, engineering, and product.
2. Best practices to integrate security tests from phase one.
3. Doing all this while balancing development velocity.