Direct Link: https://brakesec.com/2017-038
Michael De Libero spends his work hours running an application security team at a gaming development company. I (Bryan) was really impressed at the last NCC Group Quarterly meetup when he gave a talk (not recorded) about how to properly build out your Application Security Team.
So I asked him on, and we went over the highlights of his talk. Some of the topics included:
Discussing with management your manpower issues
Who to include in your team
Communication between teams
RSS: https://brakesec.com/BrakesecRSS
Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Join our #Slack Channel! Sign up at
or DM us on Twitter, or email us.
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
----SHOW NOTES:
Amanda’s appearance on PSW
Building an AppSec Team - Michael de Libero (@noskillz)
https://techbeacon.com/owasp-top-ten-update-what-your-security-team-needs-know\
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
Need link to Michael’s slides -- https://docs.google.com/presentation/d/1Bvl2rybuWMdOu3cs03U85zwAvrM1RNxv99Dt-YiGiys/edit?usp=sharing
Random Notes from Mike:
- Hiring
- WebApps vs More traditional apps
-
- Release cycles differ
- Tech stacks can often differ
- Orgs are different
- Etc…
- Testing-focus vs. “security health”
- Role of management
-
- Managing a “remote” team
- Handling incoming requests from other teams
How do you sell a company on having an appsec team if they don’t have one?
If you have an existing ‘security team’, how easily is it to augment that into an appsec team?
Can you do job rotation with some devs?
Do devs care enough to want to do code audits
“That’s not in my job description”
Skills needed in an appsec team
Does it depend on the tech used, or the tech you might use?
Internal security vs. consultants
Intro to RE course with Tyler Hudak
Bsides Wellington speaker Amanda Berlin
No comments:
Post a Comment