Citibank
Flexera Software
KFKI
KPMG
Nuuday
Santander
Secunia
TDC Net
As the pinnacle of the shift left paradigm, it is important to design your software solutions with security in mind from the ground up. This not only helps you have a more structured approach to the development process, but also in lowering the security-related costs of the project. While large corporations usually have their in-house security architects, most companies don't have the need to employ somebody full time for this role. In these cases, it is usually best to outsource the treat modelling of the solution. At the end of the process, you will have a list of potential risks that you must pay attention to during the development process.
At the end of the DevSecOps chain, software is typically shared with the customers. At this point, it is usually best practice to choose one of two options. The better, but way more resource heavy option is signing up for a bug bounty program. By doing so, a company can ensure that their software is resilient against constant attacks from expert testers. On the other hand, if a company is not yet committed to establishing a dedicated team to process the constant stream of security reports, it is advised to perform a pentest on the software. During the pentest, I can check the software from an attacker's perspective, within strictly predefined parameters to ensure, that the company understands its own product from a hacker's point of view.
When developing software, security is always of utmost importance. But not all security controls are created equally. By analyzing the DevSecOps landscape using industry best practice OWASP SAMM analysis, I can help your company develop a roadmap to continuously improve your security posture as well as decrease your security related costs thanks to the shift left approach.
Bug bounty is the next level process to ensure the security of your application. By exposing it to security experts all over the world, you can make sure that you are constantly aware of your security posture. While managing reports from such a program is notoriously resource heavy, it without doubt provides the most control over the end state of your final product. While it is not recommended to start your DevSecOps journey with this control, it surely is the ultimate proof of all the controls you have implemented beforehand.