28      2

(ISC)² Security Congress 2021 - Career Center & Recordings

1778680 - Measuring Security Effectiveness


Oct 18, 2021 11:00am ‐ Oct 18, 2021 12:00pm



Credits: None available.

Description

How do you measure the effectiveness of security? In 2016, we established a security function within software engineering. Taking a software engineering approach to security, we created testing services, hired developers to build tools, conducted secure code reviews and created our AppSec training program. In 2020, we challenged ourselves to evaluate the effectiveness of our program by analyzing the impact of our team’s services on pen-test findings. A three-month data analysis found that development teams working with us fixed their pen-test findings faster and had significantly fewer new pen-test findings than teams we didn’t work with. In this talk, we will share the specific application security practices that led to these improved outcomes, and how we adjusted our services in response to our findings.

Learning Objectives:
  • Identify the key application security practices that have been shown to reduce risk.
  • Understand how to analyze the security data and adjust a program in response.
  • Know how to set up and run a experiment to evaluate the effectiveness of a security control.

Speaker(s):

Tags: Intermediate

Credits

  • 1.00 - CPE

You must be logged in and own this session in order to post comments.

Unoanwanaile Okon
10/19/21 3:16 pm

It was a good session. It would have been helpful to qualify the title as "Measuring Software Security Effectiveness". This would have been a more accurate name for the session

charles searl
10/19/21 7:07 pm

good feedback from pen test and code reviews app developers need more oversight :)