Nish provided an overview of project lifecycles and how each requires unique approaches to quality management, specifically relating to security.
Nish provided a quick overview of the following project lifecycle approaches:
- Waterfall (long planning)
- Agile (Iterative)
- Continuous Integration (no process / ticket at a time)
For all models, security requirements are inserted at the beginning of the project and/or product feature backlog. Security requirement verification occurs during regression testing.
I really liked his presentation as it related security to the project management lifecycle, something that is often neglected when thinking about security (as security is often seen as a bolt-on for infrastructure or after the fact work).
One interesting thing to note: Nish was extremely casual with his presentation, venturing into the audience to present. I was sitting in the front row and for much of the presentation, he was located in the middle of the room speaking to the back half of the room, which required me to turn in my seat to pay attention.
I was really impressed with the large library of security requirements that Nish displayed during the presentation. He directed us to Safecode.org where we can find an exhaustive security guidance guide, amongst other resources available on that site.
As well, Nish directed us to additional resources at:
Overall, this was a great presentation and the resources that Nish suggested are quite valuable.