Mark S. Merkow, CISSP, CISM, CSSLP, works at WageWorks in Tempe, Arizona, leading application security architecture and engineering efforts in the office of the CISO. Mark has over 40 years of experience in IT in a variety of roles, including application development, systems analysis and design, security engineering, and security management. Mark holds a Master of Science in Decision and Information Systems from Arizona State University (ASU), a Master of Education in Distance Education from ASU, and a Bachelor of Science in Computer Information Systems from ASU. In addition to his day job, Mark engages in a number of extracurricular activities, including consulting, course development, online course instruction, and book writing. Mark has authored or co-authored 17 books on IT and has been a contributing editor to four others. Mark remains very active in the information security community, working in a variety of volunteer roles for the Phoenix Chapter of (ISC)2®, ISACA®, and OWASP. You can find Mark's LinkedIn® profile at: [...]

Dedication

Contents

Preface

About the Author

Chapter 1: Today's Software Development Practices Shatter Old Security Practices

Chapter 2: Deconstructing Agile and Scrum

Chapter 3: Learning Is FUNdamental!

Chapter 4: Product Backlog Development-Building Security In

Chapter 5: Secure Design Considerations

Chapter 6: Security in the Design Sprint

Chapter 7: Defensive Programming

Chapter 8: Testing Part 1: Static Code Analysis

Chapter 9: Testing Part 2: Penetration Testing/Dynamic Analysis/IAST/RASP

Chapter 10: Securing DevOps

Chapter 11: Metrics and Models for AppSec Maturity

Chapter 12: Frontiers for AppSec

Chapter 13: AppSec Is a Marathon-Not a Sprint!

Appendix A: Sample Acceptance Criteria for Security Controls

Appendix B: Resources for AppSec

Index