Software Integrity Blog

Author Archive

David Harvey


David Harvey, CISSP, is a former principal consultant with Synopsys. David evaluated agile practices, led code reviews, and trained developers on defensive coding and threat modeling. Before joining Synopsys, he worked for UnitedHealth Group, where he co-founded and led a developer-facing software security initiative. David has also worked as an architect and developer at Siemens, Boeing, and Unisys. He learned about software security when the “information superhighway” was just becoming a thing and Fortune 20 companies were starting to bear the brunt of unsanitary design and coding practices that had been de rigueur in the old, segregated, safe “client-server” or “feudal” deployment models.

Posts by David Harvey:


Is threat modeling compatible with Agile and DevSecOps?

Bryan Sullivan, a Security Program Manager at Microsoft, called threat modeling a “cornerstone of the SDL” during a Black Hat Conference presentation. He calls it a ‘cornerstone’ because a properly executed threat model:

Continue Reading...

Posted in Agile, CI/CD, & DevOps


The IRS data breach: How not to do identity proofing

We discuss the shortcomings of the IRS’s Get Transcript service, especially identity proofing, and how these widespread attacks could have been prevented.

Continue Reading...

Posted in Data Breach Security, Software Architecture & Design


How to create an effective software security training program for agile teams

Agile is a great innovation in software development. The agile focus on stakeholder involvement end-to-end, transparency and short delivery cycles are changes for the better for our industry. However, just-in-time nature of requirements, bug and flaw triage in agile makes it all the more critical that everyone on the team has a certain level of security knowledge.

Continue Reading...

Posted in Agile, CI/CD, & DevOps, Managing security risks, Security Training & Awareness, Software Architecture & Design, Static Analysis (SAST)