How do you measure the effectiveness of security?
In 2016, we established a security function within software engineering. Taking a software engineering approach to security, we created testing services, hired developers to build tools, conducted secure code reviews and created our AppSec training program. In 2020, we challenged ourselves to evaluate the effectiveness of our program by analyzing the impact of our team’s services on pen-test findings. A three-month data analysis found that development teams working with us fixed their pen-test findings faster and had significantly fewer new pen-test findings than teams we didn’t work with. In this talk, we will share the specific application security practices that led to these improved outcomes, and how we adjusted our services in response to our findings.