Abstract

SDLC has evolved from the decade-old definition by Microsoft to Agile transformation and is finally trying to catch up with cloud development velocity. While the process is well understood in the industry, the execution varies a lot. How many times has it happened that we discovered a feature with security impact at the time it is getting shipped, or when a customer raises a concern and it is escalated to the security team, or in the worst case scenario, when there is a security incident? We end up asking how this feature shipped in the blind spot of the security team?

Organizations have tried to solve this problem by adding more people to SDLC teams, adding Security Champions/Advocates in development orgs, and adding lengthy questionnaires which developers love to ignore. The biggest challenge in any of these approaches is that for scalability in cloud environments, we rely on developers to be the first judge on what features should go through an SDLC review. This is bound to have a huge blind spot for two reasons – one is that the people making the decision are not security experts and secondly, there is a conflict between feature velocity and SDLC review.

In this talk, I will present a novel approach to solving this problem using Deep Learning and NLP technologies. I will demonstrate the use of NLP to understand engineering language, which is very different from spoken language, and finally apply Deep Learning to solve a security problem that can uplevel the coverage of any SDLC program and minimize the security blindspot by a high degree.

While the presentation will focus on the security space, the technology being described in this presentation can be extended to make judgments on legal reviews, privacy reviews, and many other engineering problems.