How do you get your dev team to shift security left?
In your organization, does shift-left mean scanning code for security vulnerabilities, or does it begin with designing it?
Can threat modeling be part of an organization’s shift-left strategy?
Our shift-left strategy involves playing games. What is yours?
https://dev.to/owasp/how-do-you-get-your-dev-team-to-shift-left-by-themselves-for-real-3eap
In the latest version of OWASP Cornucopia, we have added STRIDE analysis to each of the cards: https://cornucopia.owasp.org/cards/VE2#STRIDE
At the same time, we ask the questions:
-
What are we working on?
-
What can go wrong?
-
What are we going to do about it?
So, how about “Did we do a good job?”
In the next major release (v3.0), we will also discuss the last question: “Did we do a good job?”
Why? Because we want the game to be used in iterative security processes that involve continually adapting security measures in cycles to identify, address, and reassess threats and vulnerabilities, making continuous improvements rather than a one-time fix. What do you think? Can games be used to continuous improve your security?