Scaling AppSec through Education

The presentation discusses the importance of scaling application security through education and defines application security as product security. It also highlights the ISO IEC 25010 system and software quality model and the impact of technical debt on quality.

• Application security is a crucial aspect of cybersecurity that involves building secure software systems.
• ISO IEC 25010 system and software quality model prioritizes security as an intrinsic quality system.
• Technical debt can lead to a drop in non-functional qualities, including security.
• Scaling application security through education is essential to ensure developers are equipped with the necessary skills to identify and address security issues during code review.

If a change negatively impacts performance, it would be immediately visible to customers, but if it negatively impacts security, it might never be noticed. Hope is not a strategy when it comes to security.

Abstract:Given that:- Security teams are outnumbered by developers 100:1- 50 - 80% more bugs are found in code review than in testing- More than 70% of CVEs are caused by implementation in codeIt must follow that AppSec should be the biggest part of your concern as a security person, and that you either need to seriously invest in more AppSec people to keep up with the developer population or you need to get developers looking for AppSec issues during code review.So, how does one do that?