Any experiences with OWASP ASVS or integrating security into the SDLC?
78 views
Skip to first unread message
Boy Baukema
Sep 5, 2012, 10:46:57 AM9/5/12
to se...@googlegroups.com
Hi,
Found this group through Pádraic Bradys blog (which in turn I found through the excellent PHPSecurity book that turned up on Hacker News I believe).
A little intro: I have recently been tagged as a 'WebAppSec' specialist at Ibuildings, the company I'm employed at. We do some security auditting and consulting for smaller web shops and I'm responsible for making sure stuff we build meets our security criteria.
One problem I've been tasked with is integrating security into our SDLC. A difficult task in itsself, but it is made more difficult by the fact that we're a web-shop and not an in-house team, so we have to give out scopings and 'beat the competition'.
Anyway we're starting to work with OWASP ASVS, which unfortunately is a bit dated (2009) and not very PHP specific, but at least it gives us a starting point to discuss security (and impact of security on the organization) with the customer and a checklist for the requirements phase for Team Leads that work out the features into something developers can implement and that a Team Lead / Specialist can later verify.
But my question is, for you other security 'Specialists' that work in organizations, how did / do / would you integrate security into the SDLC (assume some flavor of Scrum)?
Cheers,
Boy
PS: Evert, you really are everywhere aren't you?
Found this group through Pádraic Bradys blog (which in turn I found through the excellent PHPSecurity book that turned up on Hacker News I believe).
A little intro: I have recently been tagged as a 'WebAppSec' specialist at Ibuildings, the company I'm employed at. We do some security auditting and consulting for smaller web shops and I'm responsible for making sure stuff we build meets our security criteria.
One problem I've been tasked with is integrating security into our SDLC. A difficult task in itsself, but it is made more difficult by the fact that we're a web-shop and not an in-house team, so we have to give out scopings and 'beat the competition'.
Anyway we're starting to work with OWASP ASVS, which unfortunately is a bit dated (2009) and not very PHP specific, but at least it gives us a starting point to discuss security (and impact of security on the organization) with the customer and a checklist for the requirements phase for Team Leads that work out the features into something developers can implement and that a Team Lead / Specialist can later verify.
But my question is, for you other security 'Specialists' that work in organizations, how did / do / would you integrate security into the SDLC (assume some flavor of Scrum)?
Cheers,
Boy
PS: Evert, you really are everywhere aren't you?
Evert Pot
Sep 5, 2012, 10:53:28 AM9/5/12
to se...@googlegroups.com
On Sep 5, 2012, at 4:46 PM, Boy Baukema wrote:
> Hi,
>
> PS: Evert, you really are everywhere aren't you?
Nice to see you here too!
> PS: Evert, you really are everywhere aren't you?
Cheers,
Evert
Reply all
Reply to author
Forward
0 new messages