Boy Baukema
unread,Sep 5, 2012, 10:46:57 AM9/5/12Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to se...@googlegroups.com
Hi,
Found this group through Pádraic Bradys blog (which in turn I found through the excellent PHPSecurity book that turned up on Hacker News I believe).
A little intro: I have recently been tagged as a 'WebAppSec' specialist at Ibuildings, the company I'm employed at. We do some security auditting and consulting for smaller web shops and I'm responsible for making sure stuff we build meets our security criteria.
One problem I've been tasked with is integrating security into our SDLC. A difficult task in itsself, but it is made more difficult by the fact that we're a web-shop and not an in-house team, so we have to give out scopings and 'beat the competition'.
Anyway we're starting to work with OWASP ASVS, which unfortunately is a bit dated (2009) and not very PHP specific, but at least it gives us a starting point to discuss security (and impact of security on the organization) with the customer and a checklist for the requirements phase for Team Leads that work out the features into something developers can implement and that a Team Lead / Specialist can later verify.
But my question is, for you other security 'Specialists' that work in organizations, how did / do / would you integrate security into the SDLC (assume some flavor of Scrum)?
Cheers,
Boy
PS: Evert, you really are everywhere aren't you?