This page: adept.work/st8109umn1
- Geno Bassett
- Ryan Rampersad / @ryanmr
- Digital Labs
- Who we are
- What we work on
- Prototypes (short term; 6-8 weeks)
- Product Seeds (medium term: 6-18 months)
- Before development begins
- Understanding data classifications
- Understanding user stories and boundaries
- Understanding initial complexity
- Security approach (unique vs routine)
- Testing for business value?
- Testing for technology proof?
- Testing for innovation?
- 10x problems? 1x problems? 10x outcomes?
How much is enough security?
- real vs mock data?
- internal vs external access?
- customer vs business data?
- integrations or stand alone?
- isolated or composed?
- Push to market?
- Early productization?
- Early user base?
- Understand software maturity
- Architecture, code, doc churn
- Data at rest, in flight
- Architecture and code auditing
- Documentation
- Monitoring and alerting
- Penetration testing
- Use security tools within pipelines (Synk, Xray, Veracode)
- Automate / automate / automate
- Developers are lazy (in a good way); if it's automated they'll do it
- Establish a culture
- Frequent code review; security aware not focused
- Reporting bugs/security concerns easy straightforward path (internal/external)
- Create an understanding with the product owners (business folk) about the understanding of security, the cost, and the risk
The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Page
Snyk https://snyk.io/
Veracode https://www.veracode.com
Hey Ryan, quick question about Xray that you suggested. Is it https://jfrog.com/xray/ ?