When it comes to application security, we often include it as an afterthought. We have learnt how to add test into the development workflows, but with security we often assume someone else will come and fix it later on, Sam Newman claimed in his keynote at this year’s Microservices Conference in London.
Application security must be integrated into software development process. Late stage penetration testing is not sufficient because it will be too late and too expensive to fix mistakes. Steve Lipner from Microsoft spoke during the application security seminar at RSA conference last week about security in the software development lifecycle.
Two weeks back the US CIO's office released a 90 page proposal entitled, Proposed Security Assessment and Authorization for US Government Cloud Computing. The document is the result of 18 months of work among the NIST, GSA, ISIMC and the CIO Council to evaluate security controls and multiple Assessment and Authorization models for US Government Cloud Computing.
Neal Ziring said that the role for developers is changing where they have become the first line of defense for applications. Neal presented the keynote session at AppSec DC 2010 conference last week. He also talked about application assurance process with focus on aspects like resilience and visibility.