/ \
_ ) (( )) (
(@) /|\ ))_(( /|\
|-| / | \ (/\|/\) / | \ (@)
| |------------------/--|-voV---\`|'/--Vov-|--\-------------------|-|
|-| '^` (o o) '^` | |
| | `\Y/' |-|
|-| | |
| | Sorry, but this presentation is being |-|
|-| ____ _ _ | |
| | / ___|__ _ _ __ ___ ___| | ___ __| | |-|
|-| | | / _` | '_ \ / __/ _ \ |/ _ \/ _` | | |
| | | |__| (_| | | | | (_| __/ | __/ (_| | |-|
|-| \____\__,_|_| |_|\___\___|_|\___|\__,_| | |
| | |-|
|-| | |
| | |-|
|_|_______________________________________________________________| |
(@) l /\ / \\ \ /\ l `\|-|
l / V )) V \ l (@)
l/ // \I
V
Abstract:
When a software development life cycle is informal, with a lack of a clear heading, with no documented processes or procedures, it tends to result in an unnecessary high number of downtime in the production environment. It introduces unnecessarily high number of security vulnerabilities, which in return may end up costing software development companies and their clients a lot of money.
By implementing a formal secure software development life cycle, it is possible to catch security vulnerabilities, both in its design and implementation much earlier, and therefore reducing downtime and unnecessary costs.
This presentation is based on the presenter’s experience in having worked for multiple companies, both as a part of a programming team, leading programming teams, auditing software development life cycles and recently designing and leading the implementation of a secure software development life cycle.
This presentation is going to cover the basic building blocks required to achieve a successful and secure software development life cycle. Useful standards which can be used in a design of a secure software development life cycle will be covered, including ISO/IEC 27034. The presentation will also address a number of questions, including: “Should every software company implement a secure software development life cycle?”, “What are common pitfalls and how can they be avoided?”
Bio:
Svavar has been specializing in IT security and software development for the last 18 years and has held various roles in programming and IT Security consulting with vast experience in penetration testing, vulnerability assessment, code auditing, information security management – including ISO/IEC 27001, PCIDSS and PADSS. These roles include a manager position at KPMG, as well as a CISO position at DH samskipti. Svavar has taught classes on computer security at the University of Iceland and the University of Reykjavik. Svavar was the chairman of the information security focus group at the Icelandic Computer Society from 2007-2012. He has given talks at multiple events in Iceland, the UK, Germany, Ukraine and the US, including OWASP, BSides and Hacker Halted Europe. Svavar holds various certifications, including CISSP, CISA and CISM.