Direct Link: https://brakesec.com/2017-038

Michael De Libero spends his work hours running an application security team at a gaming development company. I (Bryan) was really impressed at the last NCC Group Quarterly meetup when he gave a talk (not recorded) about how to properly build out your Application Security Team.

So I asked him on, and we went over the highlights of his talk. Some of the topics included:

Discussing with management your manpower issues

Who to include in your team

Communication between teams

RSS: https://brakesec.com/BrakesecRSS

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

Join our #Slack Channel! Sign up at 

http://brakesec.com/brakesec

or DM us on Twitter, or email us.

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

----SHOW NOTES:

Amanda’s appearance on PSW

Building an AppSec Team - Michael de Libero (@noskillz)

https://techbeacon.com/owasp-top-ten-update-what-your-security-team-needs-know\

https://www.owasp.org/index.php/OWASP_AppSec_Pipeline

https://www.veracode.com/blog/2012/02/how-to-build-an-appsec-training-program-for-development-teams-a-conversation-with-fred-pinkett

Need link to Michael’s slides -- https://docs.google.com/presentation/d/1Bvl2rybuWMdOu3cs03U85zwAvrM1RNxv99Dt-YiGiys/edit?usp=sharing

Random Notes from Mike:

• Hiring
• WebApps vs More traditional apps
• • Release cycles differ
  • Tech stacks can often differ
  • Orgs are different
  • Etc…
• Testing-focus vs. “security health”
• Role of management
• • Managing a “remote” team
• Handling incoming requests from other teams

How do you sell a company on having an appsec team if they don’t have one?

If you have an existing ‘security team’, how easily is it to augment that into an appsec team?

Can you do job rotation with some devs?

Do devs care enough to want to do code audits

“That’s not in my job description”

Skills needed in an appsec team

Does it depend on the tech used, or the tech you might use?

Internal security vs. consultants

Intro to RE course with Tyler Hudak

Bsides Wellington speaker Amanda Berlin