Share your current employment methods/ frameworks / tools / processes for embedded secure software development, and any issues / challenges, or successes. If you could also share the industry and general size of the organization, for reference.
My previous roles have been pretty lacking in terms of secure practices.
Industry: Large Defense Contractor working on Government Project
Methodology: Agile
Secure Frameworks: None specified.
Tools: Automated static analysis tools in CI builds
Processes: On feature milestones, external penetration testers brought in to provide feedback on vulnerabilities
Issues: No training provided to developers. Security was not embedded. We had some horrendous security flaws when a prototype project, was 'sold' to the Government, and instead of being redesigned, it was 'enhanced.'
Other Comments: Our senior development team thought about the security of the technology in use: We had secure communication methods prescribed, we had solid data encryption and backup processes, users required 2fa, only supported certain usbs, secure boot, custom hardware etc etc. The in-use security from 'the enemy' was considered, but the security of the software itself wasn't considered thoroughly.
In my current role:
Zero security consideration except for security updating the 3rd party software we use, and just the individual skill / knowledge of the developer – no training provided, or minimum standard expected. No security testing at all.
I need a little help here with some industry research. I'm doing a masters of Cyber Security, and as part of an assignment, we're discussing how 'in the real world' people are developing secure software. But, online people don't publicize how they're developing their software, especially when it's only 'half' considered.
submitted by /u/878_Throwaway____
[link] [comments]
from Software Development – methodologies, techniques, and tools. Covering Agile, RUP, Waterfall + more! https://ift.tt/H8O6nm2
Ameer Academy 