951 Views
Application Security/Software Assurance
Security Congress Abstract
THOMAS SCANLON
Senior Cybersecurity Researcher
Carnegie Mellon University
To truly make security a fundamental, integral aspect of software development, it needs to be engineered in from the very beginning of a project. Many people know they should "build security in," but they don't know how—beyond security tooling. This talk will present practical methods and techniques for infusing security interests into a software development project from the start. We will discuss how mission threat workshops can be utilized at a project's inception to identify architectural and engineering security considerations, how threat models and threat assessments can be used to elicit security requirements, and how attack models can be used to foster secure architectures. A variety of techniques will be presented and explained along with guidance on how to select appropriate methods for a project.