First presented at OWASP AppSec USA on October 25, 2012 in Austin, Texas.
Original Abstract: If we are ever going to get ahead of the
whack-a-mole security vulnerability game, we, as security
professionals need to start getting involved more in the development
of software. Let's review the origins of the traditional software
development, and what assumptions are made. Then we'll review if those
assumptions still hold for modern web applications, and what problems
they cause, especially for security. Continuous deployment helps
address these problems and allows for faster, more secure
development. It's more than just "pushing code a lot", when done
correctly it can be transformative to the organization. We'll discuss
what continuous deployment is, how to get started, and what components
are needed to make it successful, and secure.
Just found that Dinis Cruz wrote a nice
piece on my talk: Amazing presentation on integrating security into
the SDL and brings up some good points. I hope address these in a future
presentation. Thanks Denis!