We've been working on new a whitepaper around some the challenges that organizations face when they become a victim of their own success at finding vulnerabilities (yes it really does become a problem). While writing the conclusions to the paper we included a summary of the higher-level articles we've published over the last couple of months on practical issues related to Secure Development Life-cycles (SDL / SDLC) and software risk. As it's Friday and to give you enough material to busy at least a good proportion of your day with we thought we'd publish the summary here as well. So without further ado here are the articles we've published since December 21, 2011 that you may have missed:
- The Business v Security Bugs - Risk Management of Software Security Vulnerabilities by ISVs
- The challenges between technical security vulnerabilities and other business pressures in the high stakes game of patch or ship product.
- Breaking the Inevitable Niche/Vertical Technology Security Vulnerability Lifecycle
- Walks though the trade-off made between time to market and security for new products / niche sectors. Discusses how security debt is incurred and how it will eventually need paying back while discussing when this can be done in a proactive fashion.
- The Cost of Following an SDL
- Our experience of attempting to follow an SDL from the start during product development. Demonstrated it's very expensive and why we prefer the concept of 'Security Mindfulness' and a 'Security Diary' for yet to be proven / profitable products.
- Musings on Secure Software Development
- Benefits of continually integrated security assessments to both product security and the product development life-cycle.
- Risk Appetite - The Need for Security SLAs
- Our perspective on the problem of security patching and need for security SLAs within business.
We hope you enjoy... as always if you need advice, have specific assessment requirements or wish to just have a chat feel free to get in contact.
No comments:
Post a Comment