Farshad Abasi shares three models for deploying resources within application security teams:
- The Dedicated AppSec Person Model involves assigning an AppSec person to work with each team. Farshad shares his experience of working with developers and the challenges faced in getting them to understand and implement threat modeling. He also discusses the transition from waterfall to Agile and how it affected threat modeling.
- The Federated Model: A security consultant attends weekly standups and sprint planning sessions in this model. They work with a checklist to quickly determine if any user stories could be security sensitive. This model reduces the allocation required to 10 to 20% of an AppSec consultant.
- The Champion or Deputy Model: The AppSec team deputizes developers to do the bulk of the application security work, and the AppSec team becomes a resource and escalation point for more complex problems. Each DevOps team appoints a security champion, and these champions form a working group supported by an AppSec person. The champions handle day-to-day issues and threat modeling, with the AppSec team providing mentorship and support.
Over several years, Farshad's journey progressed from the expert-led model to a fully-deputized, champion-driven approach to AppSec.
After careful consideration, we conclude that the fully deputized model is the only path to scalability.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
