2017-038- Michael De Libero discusses building out your AppSec Team

Direct Link: https://brakesec.com/2017-038   Michael De Libero spends his work hours running an application security team at a gaming development company. I (Bryan) was really impressed at the last NCC Group Quarterly meetup when he gave a talk (not recorded) about how to properly build out your Application Security Team. So I asked him on, and we went over the highlights of his talk. Some of the topics included: Discussing with management your manpower issues Who to include in your team Communication between teams   RSS: https://brakesec.com/BrakesecRSS Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Sign up at  http://brakesec.com/brakesec or DM us on Twitter, or email us. #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec         ----SHOW NOTES:   Amanda's appearance on PSW   Building an AppSec Team - Michael de Libero (@noskillz)   https://techbeacon.com/owasp-top-ten-update-what-your-security-team-needs-know\   https://www.owasp.org/index.php/OWASP_AppSec_Pipeline   https://www.veracode.com/blog/2012/02/how-to-build-an-appsec-training-program-for-development-teams-a-conversation-with-fred-pinkett   Need link to Michael's slides -- https://docs.google.com/presentation/d/1Bvl2rybuWMdOu3cs03U85zwAvrM1RNxv99Dt-YiGiys/edit?usp=sharing   Random Notes from Mike: Hiring WebApps vs More traditional apps Release cycles differ Tech stacks can often differ Orgs are different Etc… Testing-focus vs. "security health" Role of management Managing a "remote" team Handling incoming requests from other teams   How do you sell a company on having an appsec team if they don't have one?   If you have an existing 'security team', how easily is it to augment that into an appsec team? Can you do job rotation with some devs? Do devs care enough to want to do code audits "That's not in my job description"   Skills needed in an appsec team Does it depend on the tech used, or the tech you might use?   Internal security vs. consultants   Intro to RE course with Tyler Hudak   Bsides Wellington speaker Amanda Berlin