Business pressures like deadlines and budgets often prioritize rapid proof-of-concept development over establishing sustainable software quality and security from the start.
Integrating a secure system development lifecycle (SDLC) into university and bootcamp curricula is crucial for changing the industry's culture and embedding security from the ground up.
Instead of expecting every developer to master security, performance, and usability, teams should adopt a model with specialists like security champions.
Creating a robust security culture requires educating everyone from young people on data privacy to management on IT fundamentals, reinforced by practices like phishing simulations.
The panel discusses whether software engineering needs formal regulations, similar to civil engineering, to improve safety and why the intangible nature of data breaches makes this challenging.
Security should start with requirements and design, using accessible techniques like simplified threat modeling and attack trees to identify potential risks early in the development lifecycle.
Effective tooling involves a mix of static analysis (SAST), red team tools, and unit tests, but success depends on managing false positives and matching the tool's rigor to the application's risk profile.
Panelists wish for improvements ranging from better communication and fewer dependencies to a perfect body of security knowledge and smarter IDE integrations.
The panelists conclude by sharing their passion for the field, highlighting the noble goal of protecting people, the constant learning, and collaborative problem-solving.
42:40Tanya Janca
33:20Aarno Aukia
29:34Reto Kaeser
44:30Milecia McGregor
1:41:05Mathias Tausig
37:32Martin Schmiedecker
51:13Thomas Fuchs, Waleed Arshad & Frank Dornberger & Idir Ouhab Meskine:
37:36Vandana Verma
Jobs that call for the skills explored in this talk.
D-Wave Quantum Inc.
Portland, United States of America
Saviynt Inc.
San Jose, United States of America
Clearwater Security & Compliance LLC
Punk Security Ltd.
