David Jorm
[NCC Group]
David has been involved in the security industry for the last 20 years.
During this time he has found many high-impact and novel vulnerabilities, handled security response for dozens of open source projects, led a Chinese startup that failed miserably, and wrote the core aviation meteorology system for the southern hemisphere. He is currently a managing security consultant for NCC Group.
Product Security: bringing Silicon Valley to security assurance at an Australian financial institution
Product security is a cross-disciplinary effort to improve the security of software products, respond to vulnerabilities and incidents, and embed automation of security assurance controls into the delivery pipeline. It spans policy, consulting, automation, software engineering, and vulnerability research.
Most large Silicon Valley software companies have a product security function, but the concept has not spread widely to more traditional corporate environments, where the function is fragmented between teams covering penetration testing, application security, and vulnerability management.
Many large corporate environments have a division of the company that is essentially a mini tech company, producing their in-house software assets. This talk will explore an effort over several years to build and embed a product security function within one of the largest corporate environments in Australia.
It will look at the challenges of defining the function, establishing boundaries between other teams and functions, and maintaining compliance with the complex regulatory environment of a financial institution.
During this time he has found many high-impact and novel vulnerabilities, handled security response for dozens of open source projects, led a Chinese startup that failed miserably, and wrote the core aviation meteorology system for the southern hemisphere. He is currently a managing security consultant for NCC Group.
Product Security: bringing Silicon Valley to security assurance at an Australian financial institution
Product security is a cross-disciplinary effort to improve the security of software products, respond to vulnerabilities and incidents, and embed automation of security assurance controls into the delivery pipeline. It spans policy, consulting, automation, software engineering, and vulnerability research.
Most large Silicon Valley software companies have a product security function, but the concept has not spread widely to more traditional corporate environments, where the function is fragmented between teams covering penetration testing, application security, and vulnerability management.
Many large corporate environments have a division of the company that is essentially a mini tech company, producing their in-house software assets. This talk will explore an effort over several years to build and embed a product security function within one of the largest corporate environments in Australia.
It will look at the challenges of defining the function, establishing boundaries between other teams and functions, and maintaining compliance with the complex regulatory environment of a financial institution.
