Scaling Application Security Program

Prakasha M Ramachandra

Published Mar 14, 2020

Automating Software Security at Capital One, is an excellent articulation of the scaling application security program by wrapping the code assessment tools through API abstracted system and making it available as-a-service to developers in a polyglot environment.

Other key aspects that need to be considered in building scalable software security program:

Make threat intelligence available for developers as it helps to democratize threat intelligence and helps track vulnerabilities in the software supply chain
Enable everyone in the dev team (including coders, testers, technical writers, architects, product owners, scrum masters), to have access to a portal powered by Jupyter Notebook as threat testing workbench, to write a threat-model inspired test cases and linking that to security assessment tool (similar to what is attempted with BDD security). This would help keeping the threat model current and can help build a risk registry for the software product

To view or add a comment, sign in

More articles by Prakasha M Ramachandra

AMI & Container Image Vulnerability Management using DefectDojo

Mar 24, 2022

AMI & Container Image Vulnerability Management using DefectDojo

Tracking OS & application package vulnerabilities in Amazon Machine Images (AMI) and container images has different…
DefectDojo Okta SSO Workflow

Mar 21, 2022

DefectDojo Okta SSO Workflow

Enabling SSO is important from the perspective of scaling the application security program as it helps manage different…

2 Comments
10 Things to Consider while Operationalizing OWASP DefectDojo

Jan 23, 2022

10 Things to Consider while Operationalizing OWASP DefectDojo

OWASP DefectDojo (DefectDojo | CI/CD and DevSecOps Automation ) is a security program and product/application security…
Operationalizing AWS Security Hub as Cloud Security Posture Management (CSPM) Platform

Dec 9, 2021

Operationalizing AWS Security Hub as Cloud Security Posture Management (CSPM) Platform

Continuous monitoring & maintenance of security baseline posture of infrastructure and environment is one of the key…
Operationalizing Rapid7 IVM for Managing Vulnerabilities in AMI Application/OS Packages

Aug 3, 2021

Operationalizing Rapid7 IVM for Managing Vulnerabilities in AMI Application/OS Packages

Framework for scaling OS image and application package scanning and patching of identified vulnerabilities in AWS EC2…
AWS Lambda CIS-like Benchmark

Jul 16, 2021

AWS Lambda CIS-like Benchmark

CIS AWS benchmark provides important starting point for setting up security governance of AWS cloud environment. Even…
Product Security Risk Framework

Jun 20, 2020

Product Security Risk Framework

Have been noticing increasing trend towards using FAIR technique in risk assessments. As FAIR is being used to quantify…
Securing IIoT MQTT & CoAP Deployments

Jan 13, 2019

Securing IIoT MQTT & CoAP Deployments

The newly published Trend Micro: The Fragility of Industrial IoT’s Data Backbone report (https://documents.trendmicro.
Container Security Reference Architecture

Dec 4, 2018

Container Security Reference Architecture

Even though container runtimes utilize Linux concepts like namespace, control groups (cgroups) for resource isolation…
AI & Cybersecurity

Aug 15, 2018

AI & Cybersecurity

As friction between different cybersecurity functions is unfortunately high in a typical enterprise cybersecurity…

2 Comments

See all articles

More articles by Prakasha M Ramachandra

AMI & Container Image Vulnerability Management using DefectDojo

DefectDojo Okta SSO Workflow

10 Things to Consider while Operationalizing OWASP DefectDojo

Operationalizing AWS Security Hub as Cloud Security Posture Management (CSPM) Platform

Operationalizing Rapid7 IVM for Managing Vulnerabilities in AMI Application/OS Packages

AWS Lambda CIS-like Benchmark

Product Security Risk Framework

Securing IIoT MQTT & CoAP Deployments

Container Security Reference Architecture

AI & Cybersecurity

Explore content categories