Let’s talk about large-scale security programmes and maintaining security with tens of project teams – agile or waterfall, in-house or outsourced. I will discuss how to effectively track security requirements, organise threat modelling sessions, log output from those and translate it into penetration testing scope and test cases. We will dive deep into evil brainstorming, come up with abuser stories for each user story and define what makes the SDLC process secure or not. This talk is based on my work with different organisations in multiple countries and observations what works well in regards to security at scale and what does not.
Jakub Kałużny Senior IT Security Consultant