Sign up to save your podcasts
Or
Share Farshad Abasi -- Three Models for Deploying AppSec Resources
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Farshad Abasi -- Three Models for Deploying AppSec Resources
Farshad Abasi shares three models for deploying resources within application security teams:
- The Dedicated AppSec Person Model involves assigning an AppSec person to work with each team. Farshad shares his experience of working with developers and the challenges faced in getting them to understand and implement threat modeling. He also discusses the transition from waterfall to Agile and how it affected threat modeling.
- The Federated Model: A security consultant attends weekly standups and sprint planning sessions in this model. They work with a checklist to quickly determine if any user stories could be security sensitive. This model reduces the allocation required to 10 to 20% of an AppSec consultant.
- The Champion or Deputy Model: The AppSec team deputizes developers to do the bulk of the application security work, and the AppSec team becomes a resource and escalation point for more complex problems. Each DevOps team appoints a security champion, and these champions form a working group supported by an AppSec person. The champions handle day-to-day issues and threat modeling, with the AppSec team providing mentorship and support.
Over several years, Farshad's journey progressed from the expert-led model to a fully-deputized, champion-driven approach to AppSec.
After careful consideration, we conclude that the fully deputized model is the only path to scalability.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
View all episodes
By Chris Romeo and Robert Hurlbut
5
3636 ratings
Farshad Abasi shares three models for deploying resources within application security teams:
- The Dedicated AppSec Person Model involves assigning an AppSec person to work with each team. Farshad shares his experience of working with developers and the challenges faced in getting them to understand and implement threat modeling. He also discusses the transition from waterfall to Agile and how it affected threat modeling.
- The Federated Model: A security consultant attends weekly standups and sprint planning sessions in this model. They work with a checklist to quickly determine if any user stories could be security sensitive. This model reduces the allocation required to 10 to 20% of an AppSec consultant.
- The Champion or Deputy Model: The AppSec team deputizes developers to do the bulk of the application security work, and the AppSec team becomes a resource and escalation point for more complex problems. Each DevOps team appoints a security champion, and these champions form a working group supported by an AppSec person. The champions handle day-to-day issues and threat modeling, with the AppSec team providing mentorship and support.
Over several years, Farshad's journey progressed from the expert-led model to a fully-deputized, champion-driven approach to AppSec.
After careful consideration, we conclude that the fully deputized model is the only path to scalability.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More shows like The Application Security Podcast
View all
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
626 Listeners
Smashing Security
312 Listeners
Darknet Diaries
7,879 Listeners
The Blindboy Podcast
1,764 Listeners
The Doctor's Kitchen Podcast
623 Listeners
CISO Series Podcast
189 Listeners
Defense in Depth
74 Listeners