Keith Douglas
Keith Douglas
Be sure that the "build it processes" include a software/application security expert and involve them early!!
We're working on a new process here to hopefully streamline and yet also improve our stance (by pipelining in various ways). The hard part is setting magic thresholds for some...
@gcharest, if the security stance is similar, then in principle common settings are applicable. But security assessment is needed to do this. This is where the new Agile approaches are...
There should also be a formal process to do periodic reviews just to ensure quality of commits, too. SCA is nice, but having external review by a security assessor or...
@CalvinRodo : Both commits and the over-all stance of the project make sense to me. The idea would be to do little bits so the big picture is easier later....
We've thought a lot more since my earlier remarks and are working internally on a more Agile version of the SA&A process. Note that regardless - the security controls for...
@LaurentGoderre, that's precisely why we want a version of the "business needs for security" to be started as soon as an Idea document or any other little piece of governance...
I'm trying to create the software/application security parts of our "structured environment" but run continually into these other considerations. Hard work! :)
I am attempting to coordinate discussions with all parties - to decentralize a little. I agree that one cannot have authorization committees directly approve every last library and python package...
In hostnames one can use so-called PunyCode.