SEI Secure Software by Design Conference 2023

Date: June 12, 2023
Time: 2:30-3:15pm ET
Speaker: Trevor Young – Chief Product Officer, Security Compass

Trevor leads product strategy for the company’s SD Elements platform. Trevor is focused on building developer-centric security solutions for organizations who need to scalably model software threats and deliver secure, compliant code quickly.

Prior to joining Security Compass, Trevor served as a Vice President of Product Management for global currency trading and international payments companies, as well as Product and Technology leadership roles in startups building programmatic advertising platforms and crowdfunding marketplaces. Trevor has a breadth of experience managing security, privacy and compliance requirements for complex software platforms in highly regulated environments.

Session Info:
DevSecOps By Design: How To Incorporate Security & Compliance Earlier than Testing and Scanning
As the pace of software development continues to accelerate with DevSecOps, ensuring compliance, regulation, and security are baked into the early phases of your secure development life cycle is a critical priority. However, incorporating these elements into the software development process can be challenging, especially when they are often treated as afterthoughts.

Most organizations start this journey at the Testing phase of the SDLC – Penetration Testing, Static Application Security Testing, OSS Vulnerability Testing etc. While this helps, the time and effort to go back and re-work software after it’s been developed can be costly and slow down your time to market.

Teams that build a culture around security across multiple phases of the SDLC more effectively mitigate risk. But there are many challenges, including finding expertise to guide teams, having the authority to change the culture across the organization, securing the time and resources to implement that change, and making sure it’s integrated in a way that doesn’t burden teams to the point where the core value delivered in software is reduced or slowed.

Traditional approaches to Security by Design such as Threat Modeling, Training Programs and Security and Compliance Policies can be heavyweight and difficult to get buy-in from Development teams. Taking a new approach to secure design that is lightweight, developer friendly, and integrated into existing SDLC activities can make this task easier. Defining a path that helps foster a culture of security, organizations can start slowly and gradually increase the speed with which secure software is developed while improving the overall posture of security with both developers and project leadership.

In this discussion, we will explore some new approaches to Threat Modeling, and Developer Training that can ease teams into the integration of security and compliance early in the DevSecOps process. We will discuss how doing so can help you identify and address potential security vulnerabilities early in the development lifecycle, reducing the likelihood of costly delays and rework. We will also explore the concept of building a security champions program and the benefits it can bring to your organization.

Security champions are individuals within your organization who are passionate about security and are trained to provide guidance and execution support to their peers. By empowering security champions, you can create a culture of security where everyone takes responsibility for ensuring that software is developed securely.