1. Understand
1.1. Usual cycle
1.1.1. design -> code -> build - test -> release-deploy
1.2. It is too late !!
1.2.1. to care about security when
1.2.1.1. testing
1.2.1.2. Scanning containers
1.3. Shift left
1.3.1. Care about security in design phase
1.3.2. As security design flaw are too expensive to fix
2. Implement
2.1. Involve InfoSec in Software design
2.1.1. Setup
2.1.1.1. Process to request
2.1.1.2. Security trained Developers
2.1.1.3. InfoSec resources to deliver
2.1.2. Run
2.1.2.1. Design Level advice review
2.1.2.1.1. aka before dev
2.2. Develop security approved tools
2.2.1. Approved
2.2.1.1. libraries
2.2.1.2. utilities
2.2.2. leads to standardize code
2.2.3. leads to
2.2.3.1. speed up code review
2.2.3.2. Automate use of approved tool check
3. Pitfalls
3.1. Low Dev <-> infoSec collaboration
3.2. Understaffed InfoSec teams
3.2.1. e.g. ratio
3.2.1.1. 1 InfoSec
3.2.1.2. 10 Infra
3.2.1.3. 100 Dev
3.3. Engaging InfoSec tool ate
3.4. Dev unfamiliar with common security risk
3.4.1. OWASP Top 10
3.4.1.1. Broken Access control
3.4.1.2. Cryptographic failures
3.4.1.3. Injection
3.4.1.4. Insecure design
3.4.1.5. Security misconfigurations
3.4.1.6. Vulnerable and outdated components
3.4.1.7. Identification and authentification failures
3.4.1.8. Software and data integrity failures
3.4.1.9. Security logging and monitoring failures
3.4.1.10. Server side request forgery
4. Improve
4.1. Invite InfoSec to demos
4.2. Build pre-approved code
4.3. Security review at each phases,
4.3.1. Including design