You can read it on his Rebooting (secure) (web) software development with Continuous Deployment blog entry or use the embedded slide-share viewer below:
There are lots of great ideas and concepts in there, but for me the slide that really describes what we are trying to do (and how we have to solve the 'software security problem') is this one:
"If we want to fix Security .... we have to fix Development"
"If we want to fix Security .... we have to fix Development"
"If we want to fix Security .... we have to fix Development"
.... (write/say 100x until internalized)
"If we want to fix Security .... we have to fix Development"
One of the reasons why driving security changes and making code-fixes is so hard, is because security doesn't live in isolation and it is 100% depended on the development process that exists on the other side.
What I like about Nick's pragmatic approach is that he is showing (with real examples) that when there is a slick, fast and effective SDL (with daily pushes to production), security is much easier to embed and there is a much better architecture to 'inject security' into the SDL (and to understand the side effects of those security changes)
The good news is that we 'the security dudes' have such a good reputation with developers, and they trust us so much, that we are the best guys to drive this change.............
.... I can just hear the developers calling the security teams and say "....Hey we want to change how we develop our applications/websites, can't you come over and tell us what to do? ... Since you've been trying to 'tell us what to do' forever ... you must have good solutions for how to create the type of Development environment that Nick is talking about'..."
....yeah ..... right :(
Related posts:
- SecDDev - Security Driven Development
- 'About' page broken due to ClickJacking protection
- Couple XSS issues and XSS-By-Design (in TeamMentor)
- Security evolution into Engineering Productivity
- My presentation at OWASP AppSec Brazil: "Making Security Invisible by Becoming the Developer's Best Friends" or "Making Security Invisible by Becoming the Developer's Best Friends" presentation
- What are the challenges with SAST that don't need a better engine
- Why should a developer care about security training?