))
Josh Grossman - building Appsec programs, bridging security and developer gaps
Manage episode 412716335 series 3562689
Bryan Brake, Amanda Berlin, and Brian Boettcher에서 제공하는 콘텐츠입니다. 에피소드, 그래픽, 팟캐스트 설명을 포함한 모든 팟캐스트 콘텐츠는 Bryan Brake, Amanda Berlin, and Brian Boettcher 또는 해당 팟캐스트 플랫폼 파트너가 직접 업로드하고 제공합니다. 누군가가 귀하의 허락 없이 귀하의 저작물을 사용하고 있다고 생각되는 경우 여기에 설명된 절차를 따르실 수 있습니다 https://ko.player.fm/legal.
Youtube VOD: https://youtu.be/G3PxZFmDyj4
#appsec, #owasp, #ASVS, #joshGrossman, #informationsecurity, #SBOM, #supplychain, #podcast, #twitch, #brakesec, #securecoding, #Codeanalysis
Questions and topics:
1. The background to the topic, why is it something that interests you? How do you convince developers to take your course?
2. What do you think the root cause of the gap is?
3. Who is causing the gaps? (‘go fast’ culture, overzealous security, GRC requirements, basically everyone?)
4. Where do gaps begin? Is it the ‘need’ to ‘move fast’?
5. What can devs do to involve security in their process? Sprint planning? SCA tools?
6. How have you seen this go wrong at organizations?
7. How important is it to have security early in the product development process?
8. What sort of challenges do you think mainstream security people face in AppSec scenarios?
9. How does Product Security differ from Application Security? (what if the product is an application?)
10. What are the key development concepts that security people need to be familiar with to effectively get involved in AppSec/ProdSec?
11.. How do you suggest a security team approach AppSec/ProdSec? Leadership buy-in Effective/valuable processes Tools should achieve a goal
12. SBOM - NTIA is asking for it, How to get dev teams to care.
13. Key takeaways?
Additional information / pertinent LInks (Would you like to know more?): BlackHat Training: https://www.blackhat.com/us-24/training/schedule/index.html#accelerated-appsec--hacking-your-product-security-programme-for-velocity-and-value-virtual-37218
https://www.walkme.com/blog/leadership-buy-in/
https://www.bouncesecurity.com/
https://www.teamgantt.com/blog/raci-chart-definition-tips-and-example
https://www.cisa.gov/sbom
SCA Tools https://chpk.medium.com/top-10-software-composition-analysis-sca-tools-for-devsecops-85bd3b7512dd
https://semgrep.dev/
https://www.linkedin.com/in/joshcgrossman
https://owasp.org/www-project-application-security-verification-standard/
https://github.com/OWASP/ASVS/tree/master/5.0
https://owasp.org/www-project-cyclonedx/
https://joshcgrossman.com/
PyCon talk about custom security testing: https://www.youtube.com/watch?v=KuNZzDjvMlg
Michal's Black Hat course - Accurate and Scalable: Web Application Bug Hunting: https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-37210
ASVS website: https://owasp.org/asvs
Lightning talk I did recently about OWASP: https://www.bouncesecurity.com/eventspast#f86548cb37cb2a82728b1762bd1b7aee
Show points of Contact: Amanda Berlin: @infosystir @hackershealth Brian Boettcher: @boettcherpwned Bryan Brake: https://linkedin.com/in/brakeb Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@brakeseced Twitch Channel: https://twitch.tv/brakesec
458 에피소드
공유
