Akshay on the business of security : SDL

Shrinking Budgets: Application Security Tools vs Process Tradeoff

Akshay Aggarwal — Thu, 30 Apr 2009 08:25:54 GMT

An all too familiar scene repeated itself two weeks ago. My good friend & CISO of a mid-sized technology company, lets call him Alok, went into a budget planning meeting and came out as a shadow of his former self. To be more precise a 85% version...(read more)

Baking Security In: A Comic Strip View of SDL

Akshay Aggarwal — Fri, 20 Feb 2009 21:07:00 GMT

So how do you t ake your average developer who scoffs at security from the careless and brash aka Kevin, to the poster child for good development practices aka Kevlarr. Well, the Microsoft SDL team has the answer for you. The team recently...(read more)

Application Security Development Lifecycle 5A: Is Threat Modeling Right For You?

Akshay Aggarwal — Wed, 11 Jun 2008 18:06:24 GMT

Several enterprises are increasingly investing time and money in building application security tasks into their existing SDLCs. Some of them have also reached the conclusion that proactive approaches , like threat modeling, have more ROI than reactive...(read more)

Application Security development Lifecycle 4: Finding the right security talent

Akshay Aggarwal — Sun, 01 Jun 2008 22:45:00 GMT

After about an hour of nodding his head vigorously in agreement with some of our lessons learnt, my customer jumped up and exclaimed, " Great!! Now where do I find another 20 people like these?" (pointing to my team)... I thought about it a while and...(read more)

How Microsoft IT does Secure Application Development: Webcast

Akshay Aggarwal — Tue, 27 May 2008 19:20:00 GMT

Technorati Tags: Conference , SDLC , SDL , IT , ISV I will be discussing Microsoft IT's approach to secure application development, with a special focus on how we integrate security into the IT line-of-business SDLC, in a webcast this Thursday May 29th....(read more)

Application Security Development Lifecycle 3: Funding Models

Akshay Aggarwal — Thu, 08 May 2008 21:48:09 GMT

Now that you've decided (or battled) to set up an application security program you realize that it actually needs to get funded. You must master the art of delicately drinking from the fire hydrant of line of business applications. In my experience helping...(read more)

Application Security Development Lifecycle 2: Mandatory or Not?

Akshay Aggarwal — Tue, 22 Apr 2008 10:36:21 GMT

Large enterprises tend to have a number of line of business (LOB) applications supporting business operations. It becomes key for an application security program to help the organization manage the risk posed by each of these applications. Applications...(read more)

Application Security Development Lifecycle 1: Understanding your portfolio

Akshay Aggarwal — Mon, 07 Apr 2008 19:45:00 GMT

"How many applications do you have and what do they do?" It seems simple enough yet this questions seems to perplex many a smart mind. Having posed it to over a hundred and fifty CSO/CIOs over the last year, I have rarely received a clear answer that...(read more)

Application Security Development Lifecycle Series

Akshay Aggarwal — Thu, 03 Apr 2008 09:54:00 GMT

After several requests from customers about information on how enterprise class application security programs are set up, I am writing a series of blogs about my experience helping some large enterprises set up application security teams similar to the...(read more)