Jardine Software

  • Home
  • Solutions
    • Vulnerability Assessments / Penetration Tests
    • Security Review
    • Code Review
    • Training
      • Fundamentals of Application Security
  • Testimonials
  • Resources
  • Blog
    • .Net Blog
  • About
    • Events
  • DevelopSec

March 1, 2016 by James Jardine

Introducing the Security Learning Opportunity (SLO)

We are happy to announce the release of the Security Learning Opportunity (SLO) template. SLO is a free template that helps application teams continue their security education through the use of security related items identified within the business applications.

Benefits

  • Relevant to the business – Identifying issues that relate directly to the business, or a business application helps the team understand the impact of the issue. Typical training uses purposely vulnerable applications or examples from other companies for reference.
  • Continuous education – Training needs to be re-enforced throughout the year. SLO provides an opportunity to participate in small learning sessions over time in addition to what resources may get through a 2-4 day class held annually.
  • Effective use of time – SLO is designed to be a short task, allowing the application team to focus more time on building great applications.

You can get SLO from https://www.developsec.com/wp-content/uploads/2016/02/SLO.docx

SLO helps organizations share the information that typically gets handled by one or two developers. Often times, when a vulnerability is discovered, it is handed to one developer to fix. Unfortunately, the other developers are never made aware, leading to a continuation of creating the same issues going forward. The SLO hopes to help solve that issue. The developer, or other team member, can fill out the template and then easily share the results with the rest of the team. This is great if the remediation should be done consistently within the applications.

For example, you find CSRF and decide on a specific way to mitigate it. You will want all of the developers to understand how this mitigation works and how to implement it going forward. If only one developer looks at the issue, resolves it, and moves on, it leaves all the other developers in the dark. It also helps testers and other team members understand the significance of the issue and ways to identify it.

SLO is designed to require only a short amount of time and is composed of 2 phases.

Phase 1: Identification and Analysis (Est. 30 minutes)

During the first phase, a team member will identify a security issue that makes sense to share with others. Don’t get caught up trying to create a SLO for every security issue identified. The trick is to identify things that can be shared on a mass scale and provide value to the other team members. Once an issue is identified, some analysis is performed to determine the following items:

  • Description of the issue
  • Risk the issue presents
  • How to identify/test for it
  • Remediation

It is estimated that it should take around 30 minutes to complete the identification and analysis phase of the project.

Phase 2: Sharing the Information

The real value of the SLO is realized when the information captured is shared with the team. There are multiple opportunities to share the information.

  • With the group during dev meeting or stand up
  • Share via email or internal collaboration site
  • Include as part of yearly or other security training classes

Sharing the information can be anywhere from 5-30 minutes, depending on the issue identified.

Download It Now

You can get SLO from https://www.developsec.com/wp-content/uploads/2016/02/SLO.docx

James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.

Filed Under: Uncategorized Tagged With: developer, developer awareness, developer training, education, opportunity, qa, security, security testing, security training, SLO, testing

Newsletter

Sign up to receive email updates regarding current application security topics.

Privacy Policy

Contact Us

Contact us today to see how we can help.
Contact Us

Search

Company Profile

Jardine Software Inc. was founded in 2002. Originally focused on software development, we now focus on helping development teams and … Read More...

Resources

Podcasts
DevelopSec
Down the Security Rabbithole (#DTSR)

Blogs
DevelopSec
Jardine Software

Engage With Us

  • Email
  • Facebook
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • YouTube

Contact Us

Jardine Software Inc.
Email: james@jardinesoftware.com



Privacy Policy

© Copyright 2018 Jardine Software Inc. · All Rights Reserved