A Four-Step Process for SDLC Security

Presented by

Chip Epps, Head of Product Marketing, GrammaTech

About this talk

As software producers and publishers become increasingly accountable for the safety and security of their software, there’s an increasing focus on protecting their software applications from the inside out. This begins in the earliest stages of the software development life cycle (SDLC) as security shifts left and continue through production and release. This video presents a four-step process for SDLC security that can be achieved with minimal friction. Program planning that covers how the application will be used, what sensitive data will be processed, and mapping application interdependencies, code components, and libraries. Use SAST (static application security testing) to build security into the SDLC at the code layer. Apply SCA (software composition analysis) to analyze third-party and open-source software components in binaries for N-day or Zero-day vulnerabilities, and improper versioning and licensing. Create an SBOM (software bill of materials) that identifies the use of open-source components. This should be done in both the custom code as well any third-party code in the software. Run a final vulnerability analysis to check for any vulnerabilities that may be hiding in open-source components or the application functions, and remediate them, to ensure that the software being released into production does not contain hidden exploitable vulnerabilities. Please join GrammaTech’s Chip Epps, head of product marketing, to learn more about this 4-step AppSec playbook: · Source integrity through SAST · Binary integrity through SCA · Component risk visibility through an SBOM · Release assessment through vulnerability analysis

Related topics:

More from this channel

Upcoming talks (0)
On-demand talks (27)
Subscribers (1941)
GrammaTech is a leading global provider of software analysis and testing solutions used by the world's most security conscious organizations to detect, measure, analyze and resolve security and safety vulnerabilities. The company is also a trusted cybersecurity research partner for the nation’s civil, defense, and intelligence communities.