Defense in Depth, as learned from watching football

What does application security and football have in common? In both cases, there is an offense who leads different attacks to try to breach their opponent. The defense is then set up in a way to prevent and minimize the impact of those attacks. Football teams have three levels of defense, and within those levels, there are different positions with different specializations. This is the ultimate defense in depth strategy where coaches predict hundreds of likely plays in order to build a playbook of possible protection scenarios. By consistently practicing and preparing for those possible scenarios, defensive players are able to stop attacks early with minimal gain. Just as a well-coordinated defense protects a team from scoring, a robust application security strategy safeguards digital assets from cyberattacks. By understanding the parallels between maintaining secure code and football defense, developers can continue to create and maintain secure open source software.

To ensure that no prior knowledge is needed, the presentation will begin with a basic introduction of coaches, playbooks, and film watching and how they can be compared to the security team, security playbooks, and threat modeling. This will be followed by a very brief example of what a playbook can look like and provide any background information on football that will be needed for the rest of the presentation. It will then transition into discussing the offense and how it relates to an application security attack. This will flow into discussing different attacks, with a focus on open source security attacks, that our defense will have to stop and how different attacks can work together to make stopping them more difficult. Next, the presentation will lay out the three levels of defense, the different players within each level, and which application security tool or test relates to that position. This will include the responsibility and role of each, for both the football position and the application security tool. After each position is laid out, everything will be brought back together to discuss how we can learn defense in depth by looking at how all the football defensive players work together. The playbooks and film watching will be referenced to make a point about preparation and how those strategies can be used to get ahead of possible attacks. The presentation will conclude with a discussion about how the different application security tools are more effective when working together. 

While the talk will focus on the more broad topic of application security and maintaining secure code, a majority of the storytelling will be on open source security. This will include talking about different open source vulnerabilities and how to use defense in depth techniques to prevent future open source vulnerabilities.