Youtube VOD: https://youtu.be/G3PxZFmDyj4

 

#appsec, #owasp, #ASVS, #joshGrossman, #informationsecurity, #SBOM, #supplychain, #podcast, #twitch, #brakesec, #securecoding, #Codeanalysis

Questions and topics:

1. The background to the topic, why is it something that interests you?
How do you convince developers to take your course?

2. What do you think the root cause of the gap is?

3. Who is causing the gaps? ('go fast' culture, overzealous security, GRC requirements, basically everyone?)

4. Where do gaps begin? Is it the 'need' to 'move fast'?

5. What can devs do to involve security in their process? Sprint planning? SCA tools?

6. How have you seen this go wrong at organizations?

7. How important is it to have security early in the product development process?

8. What sort of challenges do you think mainstream security people face in AppSec scenarios?

9. How does Product Security differ from Application Security? (what if the product is an application?)

10. What are the key development concepts that security people need to be familiar with to effectively get involved in AppSec/ProdSec?

11.. How do you suggest a security team approach AppSec/ProdSec?
               Leadership buy-in
               Effective/valuable processes
               Tools should achieve a goal

12. SBOM - NTIA is asking for it, How to get dev teams to care.

13. Key takeaways?

Additional information / pertinent LInks (Would you like to know more?):
BlackHat Training: https://www.blackhat.com/us-24/training/schedule/index.html#accelerated-appsec--hacking-your-product-security-programme-for-velocity-and-value-virtual-37218

https://www.walkme.com/blog/leadership-buy-in/

https://www.bouncesecurity.com/

https://www.teamgantt.com/blog/raci-chart-definition-tips-and-example

https://www.cisa.gov/sbom

SCA Tools https://chpk.medium.com/top-10-software-composition-analysis-sca-tools-for-devsecops-85bd3b7512dd 

https://semgrep.dev/ 

https://www.linkedin.com/in/joshcgrossman 

https://owasp.org/www-project-application-security-verification-standard/ 

https://github.com/OWASP/ASVS/tree/master/5.0

https://owasp.org/www-project-cyclonedx/

https://joshcgrossman.com/

PyCon talk about custom security testing: https://www.youtube.com/watch?v=KuNZzDjvMlg 

Michal's Black Hat course - Accurate and Scalable: Web Application Bug Hunting: https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-37210 

https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-372101705524544 

ASVS website: https://owasp.org/asvs 

Lightning talk I did recently about OWASP: https://www.bouncesecurity.com/eventspast#f86548cb37cb2a82728b1762bd1b7aee 

Show points of Contact:
Amanda Berlin: @infosystir @hackershealth 
Brian Boettcher: @boettcherpwned
Bryan Brake: https://linkedin.com/in/brakeb 
Brakesec Website: https://www.brakeingsecurity.com
Youtube channel: https://youtube.com/@brakeseced
Twitch Channel: https://twitch.tv/brakesec