13Nov/090
Building an In-House Application Security Assessment Team
This presentation was by Keith Turpin from The Boeing Company. About three years ago, all of Boeing's assessments were coming from outsourced service providers. They realized that they were unable to have control over the people and process and had difficulties integrating the controls into the SDLC and decided to bring these functions in house. The goal of this presentation is to show some of the issues they ran into and how they addressed those problems. My notes from the presentation are below:
Contraced Services Considerations
- Some Advantages:
- Highly skilled
- Established tools, processes, and standards
- Unbiased
- Available as needed
- Some Disadvantages:
- Expensive, especially for an extended engagement
- Less control and flexibility
- Not familiar with company processes and culture
- Rotating staff
Planning
- Considerations for establishing an internal team:
- Time to staff and train the team
- Overlap of external and internal teams
- Development of processes and standards
- Acquiring necessary tools
Service Model
- Define the services your team will provide. This will be greatly influenced by:
- The team's size and skills
- The number of applications you have to support
- The tools available
- The level of executive support
- The funding model
- Who pays for your services
- The team's role
- Development support, pre-deployment testing or post deployment auditing and pen testing