Repository

The repository contains the deliverables that have been produced for the SECDES project. The screen recordings of the virtual project meetings can be found on the media page.
  • Zeven essentiële principes voor het schrijven van veilige programma's — Modern software security requires more than patching vulnerabilities after release — it demands a proactive approach woven into development itself. This article explains how secure coding practices reduce risk by eliminating common weaknesses early, making systems more resilient and cost-effective to maintain. [view online]
  • By-design Cybersecure Digital Products — This presentation introduces the SECDES project and highlights why integrating security into the DevOps pipeline has become increasingly crucial as development cycles accelerate. It explains how modern teams face pressure to deliver quickly while maintaining robust protection against emerging threats. It focuses on three key areas: securing the software design phase by building security principles into architecture decisions from the start, implementing automated security testing to catch vulnerabilities early and continuously, and strengthening cybersecurity governance to ensure compliance and accountability across the development process. [download]
  • Softwarebeveiliging meten met OWASP SAMM — In a landscape where cyberattacks and regulation intensify, measuring software security becomes a strategic necessity. This article presents the OWASP SAMM framework as a practical, adaptable tool for assessing the maturity of an organization's security practices in software development. By evaluating governance, design, implementation, verification, and operations across defined maturity levels, SAMM helps organizations identify strengths and improvement points in their security posture. [view online]
  • Strategieën voor softwarebeveiliging in de ontwikkelingscyclus — Software development strategies can differ widely in how they approach security, and this article explores three common models for embedding it into the development cycle. DevOpsSec integrates security measures later in the pipeline, while DevSecOps weaves checks and controls throughout each phase, and SecDevOps treats security as a foundational design principle from the very start. Each approach comes with distinct benefits and challenges, making the right choice dependent on an organization's culture, processes, and technical maturity. [view online]
  • An Introduction to Threat Modeling — This presentation introduces 'threat modeling', one of the core techniques in the secure software development lifecycle. It sheds light on what threat modeling entails, where it fits in the SDLC, what benefits it brings, and how to get started. The presentation also incorporates findings from a recent research project that investigates the current state of practice in large Dutch organizations regarding threat modeling, and shares their lessons learned. [download]
  • SecDevOps: Beveiliging als cruciaal deel van het ontwikkelingsproces — This article makes the case for SecDevOps as a development philosophy in which security is not an added layer, but the very foundation of software creation. Instead of pushing security tasks to later stages, SecDevOps embeds continuous security controls and accountability at every step, ensuring that critical vulnerabilities are identified and addressed early. [view online]
  • De 4 belangrijkste SecDevOps-uitdagingen aangepakt — This article tackles the four major challenges companies often face when shifting to SecDevOps from culture clashes and skill gaps to tool complexity and talent shortages. It highlights the friction between traditional team silos and a unified security mindset, underscores the need to upskill developers, and addresses the strain on limited cybersecurity resources. At the same time, it warns of tool proliferation creating noise and integration difficulties, and suggests remedies like automation, consolidation, and tooling alignment. Adopting SecDevOps is not only a technical shift but also an organizational journey that requires deliberate strategies and persistent effort. [view online]
  • Leveraging Product Management to Shift Left in Small SaaS Teams — Historically, security wasn't always a top priority for most small SaaS teams, feature development was. Upcoming legislation like NIS2, CRA, ... is increasing the pressure on the teams, not from the legislation itself, but from corporate customers who are becoming much more demanding. In this presentation we will argue that integrating security requirements early ("shifting left") should be driven by product management, as they have the best understanding of customer concerns from both feature and security perspectives. This understanding can drive investment in application security (appsec) and prioritize it on the roadmap. Product managers typically know the value of the data managed by the SaaS, whether it is crucial or peripheral to customers. [view online]
  • Keeping pace with OAuth's Evolving Security Practices — OAuth 2.0, introduced in 2012, is now the de facto standard for API authorization. Over time, its security guidance has evolved to address new threats and use cases. This presentation covers the latest OAuth 2.0 security best practices and highlights upcoming changes to the standard, ensuring you stay ahead in securing your applications. [download]
  • Automated Security Testing — Automated security testing takes center stage as a critical enabler for secure, fast-moving software delivery. The presentation explores how security checks can be woven into every stage of the DevOps pipeline, turning testing from a slow, manual afterthought into a continuous, automated safeguard. It examines the power of static and dynamic testing, cloud and infrastructure scanning, and intelligent triage to focus teams on the issues that truly matter. By shifting left and integrating these capabilities directly into development workflows, the presentation shows how to catch vulnerabilities early, reduce noise, and maintain both speed and security. [download]
  • Software supply chain security, NIS2 and SBOM — Software supply chain security is introduced as a growing priority for organizations facing complex ecosystems, new regulations, and high-impact vulnerabilities. This presentation explores recent supply chain incidents like SolarWinds and XZ backdoor as a wake-up call for proactive risk management. It lays out the building blocks for stronger resilience: clear policies, supplier requirements aligned with NIS2, and systematic use of Software Bills of Materials (SBOMs) for transparency and traceability. [download]
  • Threat Modeling Workshop — Threat modeling sharpens the ability to spot weaknesses before attackers do. This presentation focuses on building a security mindset that questions assumptions, maps out how systems really work, and highlights where trust could be broken. You learn to visualize data flows, identify the most critical assets, and think through worst-case scenarios that threaten confidentiality, integrity, or availability. [download]
  • An Overview of Threat Modeling Tools — This presentation explores how tools can support effective threat modeling in practice. The session introduces what to expect from threat modeling tools and highlights several popular solutions that can streamline the process [download]
  • Security & Privacy Architecture through Risk-driven Threat Assessment — When building software systems, you need to continuously consider the system's security and privacy (S&P) aspects. Even after the system is put into production, regular S&P reassessments are key, as the system, environment and implemented security measures may evolve over time. While contemporary threat modeling activities can help, they are restricted to a fleeting snapshot of the system under assessment, do not offer support for prioritization, nor support for easy reuse. This is where SPARTA comes in. [download]
  • OpenAPI as a Security Tool — OpenAPI specifications are more than just documentation—they can be a powerful foundation for improving your application's security. This presentation explores how to effectively use OpenAPI in both code-first and spec-first workflows. It discusses how well-crafted specs help uncover security issues, guide audits, and power security tools for testing, automated attacks, and even runtime protection. [download]
  • Introduction to SAMM — OWASP SAMM, the Software Assurance Maturity Model, offers an effective, measurable way to analyze and improve an organization's secure development lifecycle. This presentation provides a clear introduction to the model and explains how it helps organizations identify where their security investments deliver the greatest value. [download]