With its June, 2017 draft release, the PSIRT Framework from FIRST established a new era in product security formalization. A quick search of FIRST member organizations show a 5:1 disparity of CSIRT-to-PSIRT members represented, providing a data point to what many industry experts already know -- formal product security programs are much more rare than their corporate counterparts.
This presentation will detail the journey, hurdles, and outcomes of using the PSIRT Framework to take a hard look at formalizing an existing application security team's efforts into a more holistic program. Topics will include executing a program gap analysis, deciding on how to re-mediate identified gaps, organizing a PSIRT across functional teams, processes we utilize, execution of a product security advisory process, and other parts of our organization's implementation of the framework to guide our program maturity.
Curious how to take your team's best-effort product security and level it up? Attend this talk and you'll gain real-world value from the experiences our team took to do just that.