Scope – application security
“In the requirements phase, you need to ask both what security controls are needed, but also ask what shouldn’t happen (account for those things as you find them). During design, threat modeling lets you ensure you understand what could go wrong so that you can design those considerations in. During implementation, incorporate security into IDE, modular code reviews, check-ins, etc. instead of waiting to reach the testing phase for a security-focused discussion to happen. During testing, evolve the security testing program to move from regular intervals to an irregular (unpredictable) or – better yet – continuous manner. Lastly, as you maintain, change the metrics from primarily KPI-driven (for example, the number of critical vulns in production systems) to KRI-driven (e.g. – the number of critical vulns out of SLA in the production env).”
– Phoram Mehta, Director & Head of Infosec APAC, PayPal...