“We’re Agile, so there’s no time for that” - This is a typical response I get, when I first suggest to a development team they need to start doing Threat Modelling, Security Testing, or other Application Security (AppSec) activities. These are frequently seen as heavyweight tasks that interfere with delivery, instead of the quality and efficiency multipliers they actually can be.

In this talk, I’ll present my current thinking on a few key Software Assurance activities teams can introduce into their day-to-day development practices. I’ll also touch on how they can be introduced to an existing team’s development cadence with (relatively) little disruption.

$ whoami⌗

Dr. John DiLeo is the Auckland-area leader of the OWASP New Zealand Chapter. He’s currently leading the Software Assurance advisory practice at Datacom New Zealand, providing support and guidance to clients in launching, managing, and maturing their enterprise software assurance programs.

Before moving to application security, John was active as a Java enterprise architect and Web application developer. In an earlier life, John developed discrete-event simulations of large distributed systems, in a variety of languages - including the Java-based language (FreeSML) he developed as part of his doctoral research.

John is on the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, and is active on the OWASP Education and Training Committee and Application Security Curriculum Project.