We are happy to announce the release of the Security Learning Opportunity (SLO) template. SLO is a free template that helps application teams continue their security education through the use of security related items identified within the business applications.
Benefits
- Relevant to the business – Identifying issues that relate directly to the business, or a business application helps the team understand the impact of the issue. Typical training uses purposely vulnerable applications or examples from other companies for reference.
- Continuous education – Training needs to be re-enforced throughout the year. SLO provides an opportunity to participate in small learning sessions over time in addition to what resources may get through a 2-4 day class held annually.
- Effective use of time – SLO is designed to be a short task, allowing the application team to focus more time on building great applications.
You can get SLO from https://www.developsec.com/wp-content/uploads/2016/02/SLO.docx
SLO helps organizations share the information that typically gets handled by one or two developers. Often times, when a vulnerability is discovered, it is handed to one developer to fix. Unfortunately, the other developers are never made aware, leading to a continuation of creating the same issues going forward. The SLO hopes to help solve that issue. The developer, or other team member, can fill out the template and then easily share the results with the rest of the team. This is great if the remediation should be done consistently within the applications.
For example, you find CSRF and decide on a specific way to mitigate it. You will want all of the developers to understand how this mitigation works and how to implement it going forward. If only one developer looks at the issue, resolves it, and moves on, it leaves all the other developers in the dark. It also helps testers and other team members understand the significance of the issue and ways to identify it.
SLO is designed to require only a short amount of time and is composed of 2 phases.
Phase 1: Identification and Analysis (Est. 30 minutes)
During the first phase, a team member will identify a security issue that makes sense to share with others. Don’t get caught up trying to create a SLO for every security issue identified. The trick is to identify things that can be shared on a mass scale and provide value to the other team members. Once an issue is identified, some analysis is performed to determine the following items:
- Description of the issue
- Risk the issue presents
- How to identify/test for it
- Remediation
It is estimated that it should take around 30 minutes to complete the identification and analysis phase of the project.
Phase 2: Sharing the Information
The real value of the SLO is realized when the information captured is shared with the team. There are multiple opportunities to share the information.
- With the group during dev meeting or stand up
- Share via email or internal collaboration site
- Include as part of yearly or other security training classes
Sharing the information can be anywhere from 5-30 minutes, depending on the issue identified.
Download It Now
You can get SLO from https://www.developsec.com/wp-content/uploads/2016/02/SLO.docx
James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.