Rebooting (secure) (web) software development with Continuous Deployment
First presented at OWASP AppSec USA on October 25, 2012 in Austin, Texas.
If we are ever going to get ahead of the whack-a-mole security vulnerability game, we, as security professionals need to start getting involved more in the development of software. Let's review the origins of the traditional software development, and what assumptions are made. Then we'll review if those assumptions still hold for modern web applications, and what problems they cause, especially for security. Continuous deployment helps address these problems and allows for faster, more secure development. It's more than just "pushing code a lot", when done correctly it can be transformative to the organization. We'll discuss what continuous deployment is, how to get started, and what components are needed to make it successful, and secure.
Just found that Dinis Cruz wrote a nice piece on my talk: Amazing presentation on integrating security into the SDL and brings up some good points. I hope address these in a future presentation. Thanks Denis!