James Chiappetta

An overview of how Application Security (AppSec) can help security compliance requirements get embedded in the Software Development Lifecycle (SDLC).

By: James Chiappetta

Disclaimer: The opinions stated here are my own, not necessarily those of my employer.

Background

There are many different activities a well ran Application Security (AppSec) Program can provide value with in an organization. One of those, which is the focus of this post, is Security Compliance. …


An overview of how an Application Security (AppSec) team can build an engaging security champions program to scale its culture and impact.

By: James Chiappetta

Disclaimer: The opinions stated here are my own, not necessarily those of my employer.

Background

As organizations grow, the Application Security (AppSec) team’s ability to sustain a healthy support level will unfortunately become unsustainable relative to the productivity of the Development team. When this happens, AppSec starts to become an island. There needs to be a way to build strong communication pathways for propagating AppSec’s knowledge, services, and value while organizations grow. …


An overview of how Application Security (AppSec) can help balance the needs of product usability and security with Product Development.

By: James Chiappetta

Disclaimer: The opinions stated here are my own, not necessarily those of my employer.

Background

Today, it’s commonplace to have those in Product Development (Product Dev) working with Application Security (AppSec). The impetus for this working relationship is either by discovery of an unrealized risk with an existing product or the need of launching something new in a hurry. …


A guide on how to successfully build, structure, hire, and retain an Application Security (AppSec) team in a modern business.

By: James Chiappetta

Disclaimer: The opinions stated here are my own, not necessarily those of my employer.

Background

The modern business is one that is building technology with applications in cloud environments. The need to ensure that these applications are built with security from the start is now top of mind. Organizations are unfortunately faced with some difficult challenges in doing this. …


An overview of how Application Security teams can avoid getting themselves in a Doom Loop by applying Agile program management and building trust with the AppSec Flywheel.

By: James Chiappetta

Disclaimer: The opinions stated here are my own, not necessarily those of my employer.

Background

I have written in my recent posts about the ever growing cultural divide between Application Security (AppSec) Engineers and their primary stakeholders (developers) as to who owns the security responsibility. The data from the Ponemon & ZeroNorth study shows this divide quite well. The following are some insights from it.

AppSec Engineers:

  • 75% feel there is a cultural divide.


A practical guide to creating an Application Security Pentesting Program and preventing critical security flaws that cause security breaches.

By: James Chiappetta

Disclaimer: The opinions stated here are my own, not necessarily those of my employer.

Background

There is a positive correlation between new applications and surface area for attackers to find security weakness with. This will inevitably lead to a continued rise in security breaches. Attackers have various motivations for targeting different applications but a robust Application Security (AppSec) Penetration Testing (pentesting) Program will ensure whatever you are releasing into the world is battle ready.

So, how does one go about building such a program and how do you know if it is working? While a bit on the longer side, this post will help you answer those questions, and more. …


A practical guide to scaling Application Security so Developers can focus on what they’re great at while shipping products more securely.

By: James Chiappetta

Disclaimer: The opinions stated here are my own, not necessarily those of my employer.

Background

The role of Developers and DevOps Engineers is to create the code and instrumentation needed to release a product or service. It is important that they have what they need in their workflow to release code securely. How do you make sure this actually happens without constant obstruction?

This post will help provide a high level overview on how to successfully embed security in the daily development workflow and the Continuous Build and Continuous Deployment (CI/CD) system. This way Developers can focus on what they’re great at while shipping products and applications more securely. …


A practical guide to building a scalable Application Security Design Review process through threat modeling and empowerment.

By: James Chiappetta

Disclaimer: The opinions stated here are my own, not necessarily those of my employer.

Background

Developers and product owners often think about the happy path. They get locked in on what should go right (a monetary success), and it’s easy to forget what can go wrong. So, how do you influence the culture of a broad engineering population and actively prevent the unhappy path?

This post will provide you with a practical guide to building a scalable security design review process from scratch to avoid last minute security roadblocks and get people thinking like attackers. …

About

James Chiappetta

Started my career pentesting and building security tools. I have built several security teams. I believe in a balanced approach to cybersecurity.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store