The accreditors of this session require that you periodically check in to verify that you are still attentive.
Please click the button below to indicate that you are.
How do you measure the effectiveness of security?
In 2016, we established a security function within software engineering. Taking a software engineering approach to security, we created testing services, hired developers to build tools, conducted secure code reviews and created our AppSec training program. In 2020, we challenged ourselves to evaluate the effectiveness of our program by analyzing the impact of our team’s services on pen-test findings. A three-month data analysis found that development teams working with us fixed their pen-test findings faster and had significantly fewer new pen-test findings than teams we didn’t work with. In this talk, we will share the specific application security practices that led to these improved outcomes, and how we adjusted our services in response to our findings.
Learning Objectives:
Identify the key application security practices that have been shown to reduce risk.
Understand how to analyze the security data and adjust a program in response.
Know how to set up and run a experiment to evaluate the effectiveness of a security control.
You must be logged in and own this session in order to
post comments.
Unoanwanaile Okon
10/19/21 2:16 pm
It was a good session. It would have been helpful to qualify the title as "Measuring Software Security Effectiveness". This would have been a more accurate name for the session
charles searl
10/19/21 6:07 pm
good feedback from pen test and code reviews
app developers need more oversight :)
Ian Mills
10/29/21 9:12 pm
Interesting indeed, but as above, title didn't reflect the focus on software development! Either way, thanks guys -obviously a lot of time and effort behind this presentation.
Venkatesh Raju
11/20/21 10:07 pm
Great session, and agree with Okon's comments on the slightly misleading title.
Unoanwanaile Okon
10/19/21 2:16 pm
It was a good session. It would have been helpful to qualify the title as "Measuring Software Security Effectiveness". This would have been a more accurate name for the session