BCS Member Groups's video: No DevSecOps Plan B: Risk-Driven Application Testing BCS London Central North Branches

Speaker: Richard Hollis - CEO of Risk Crew Synopsis: There are two key facts to understanding today’s threat landscape: First, 84% of all cyber-attacks occur at the application level. Second, the Open Web Application Security Project® (OWASP) list of the top 10 (application security vulnerabilities) has not changed by more than 30% in the last 15 years. Simply stated, year after year, breaches continue to rise because we neglect to incorporate security into the development of our applications. Development, Security, & Operations (DevSecOps) is the practice of implementing best security practices early and throughout the application’s development life cycle. It should involve practices like segmenting developers, scanning repositories for security vulnerabilities, conducting continuous monitoring, static code analysis and secure code reviews. Unfortunately, very few organisations have the tools, expertise or resources to implement these best practices and the market rewards speed over security. At best, we subject these insecure applications to boilerplate security penetration tests that do not address design and deployment-specific vulnerabilities and attack surfaces.