Security is not a business priority, so ‘on-time' and ‘functional' take precedence. Developers need to be more security-minded so that they build defensively.

By understanding the adversary, and challenges with digital forensics and incident response (DFIR), developers can help security and be a critical part of the security team.

So says April Wright, senior manager: information security and compliance at Verizon, who will be presenting on ‘Orange is the new purple – how and why to integrate development teams with red/blue teams to build more secure software', at the ITWeb Security Summit 2018, to be held from 21 to 25 May, at Vodacom World in Midrand.

Her talk will introduce a new paradigm for integrating developers with offensive and defensive teams to enhance the software development life cycle (SDLC).

She says utilising red, blue, and now yellow (development) teams in a structured way will provide knowledge sharing, strengthen defences, coverage and response, and ultimately ensure the development of a high level of security maturity over time.

"This new concept of ‘red plus yellow equals orange' and ‘blue plus yellow equals green', focuses on the role of developers as a critical piece of security assurance activities when combined with offensive and defensive teams," she adds.

According to her, orange teams add value when they have been integrated into SDLC by creating a cycle of perpetual offensive testing and threat modelling to make software more secure over time through a high level of dedicated interaction. "Green teams add value when they help ensure software is capable of providing good DFIR information."

Her talk will evaluate how different team combinations can lead to more secure software. Delegates will learn how get management buy-in, to understand the goals and challenges of teams to build empathy and more positive interactions, and how to start including security in the SDLC.