Building a sustainable security requirements process with the ASVS - Josh Grossman - NDC Security

Shift left? Spread left? Regardless of terminology, we want to be thinking about security earlier on in the development lifecycle. Ideally whilst we are still gathering the business requirements.

But how do we do that? Not everyone can think up security requirements on demand and we need to do this constantly for each new feature or development.

As a project lead for the OWASP Application Security Verification Standard (ASVS), a list of requirements for building secure software, this is something I have spent time working on as well as discussing with a variety of development teams. In this talk I want to show you what we came up with.

After a brief overview of what the ASVS is, we will then talk about how to:

- Get buy-in for security at this stage
- Balance trade-offs and prioritize different security requirements
- Trim the ASVS to focus on your current context
- Make the process repeatable and maintain a view of security state

You should leave the talk with not only a better understanding of the ASVS but also clear ideas on how you can take this and implement it as part of your own organization's requirements process.


Check out our new channel:
NDC Clips:
‪@ndcclips‬

Check out more of our featured speakers and talks at
https://ndcconferences.com/
https://ndc-security.com/