Agile Security Expert Opinion

David Harvey

David Harvey, CISSP is a principal consultant with Synopsys. David evaluates agile practices, leads code reviews, and trains developers on defensive coding and threat modeling. Prior to joining Synopsys, he worked for UnitedHealth Group where he co-founded and led a developer-facing software security initiative. David has also worked as an architect and developer at Siemens, Boeing, and Unisys. He learned about software security when the ‘information superhighway’ was just becoming a thing and Fortune 20 companies were starting to bear the brunt of unsanitary design and coding practices that had been de rigueur in the old, segregated, safe ‘client-server’ or ‘feudal’ deployment models.

Posts by David Harvey:

Is threat modeling compatible with Agile and DevSecOps?

Bryan Sullivan, a Security Program Manager at Microsoft, called threat modeling a “cornerstone of the SDL” during a Black Hat Conference presentation. He calls it a ‘cornerstone’ because a properly executed threat model: Finds architectural and design flaws that are difficult or impossible to detect through other methods. Identifies the most ‘at-risk’ components. Helps stakeholders […]

Posted in Agile, CI/CD & DevOps | Comments Off on Is threat modeling compatible with Agile and DevSecOps?

How to overcome common software security training hurdles

Software security training is an important part of software development. In the latest Ponemon study on data breaches, training and awareness programs are the number one control implemented after a data breach. However, as with any security control, it’s possible to incorrectly implement training. Within this post, I’ll discuss several common software security training hurdles […]

Posted in Data Breach, Security Training | Comments Off on How to overcome common software security training hurdles

Benefits of application security training: Moving beyond compliance

The official organizational response to a data breach almost always includes the statement: “We met all regulatory and legal requirements for data protection.” Training is required for many compliance regimes, and it might just be good enough as a compliance control. However, as a security control it’s inadequate. There are multiple major retailers that were […]

Posted in Data Breach, Maturity Model (BSIMM), Security Training, Software Security Initiative (SSI) | Comments Off on Benefits of application security training: Moving beyond compliance

The IRS data breach: How not to do identity proofing

In 2015, thousands of U.S. taxpayers attempting to file a tax return discovered that a return had already been filed on their behalf with a tax refund deposited into an unknown account. An investigation showed that a service known as Get Transcript was used to access the data of at least 700,000 individuals. That data […]

Posted in Data Breach, Software Architecture and Design | Comments Off on The IRS data breach: How not to do identity proofing

How to create an effective software security training program for Agile teams

Agile is a great innovation in software development. The Agile focus on stakeholder involvement end-to-end, transparency and short delivery cycles are changes for the better for our industry. However, just-in-time nature of requirements, bug and flaw triage in agile makes it all the more critical that everyone on the team has a certain level of […]

Posted in Agile, CI/CD & DevOps, Security Training, Software Architecture and Design, Static Analysis (SAST) | Comments Off on How to create an effective software security training program for Agile teams

Software Integrity Blog

Author Archive

David Harvey

Posts by David Harvey:

Is threat modeling compatible with Agile and DevSecOps?

How to overcome common software security training hurdles

Benefits of application security training: Moving beyond compliance

The IRS data breach: How not to do identity proofing

How to create an effective software security training program for Agile teams

Legal

Follow