Most people in Application Security talk about business risk and potential ROI when trying to drive organizations towards implementation of a software assurance programs. They'll speak to architecture reviews/threat modeling, static analysis (aka: code reviews or white box testing), dynamic analysis (aka: vulnerability assessments), and pen testing. They'll refer to charts noting the cost of fixing defects earlier vs later in the process. More often than not, they'll refer to software security vulns are 50% flaws (architecture), 50% bugs (code).
The purpose of this talk is to provide an alternative (not different or better) approach to discussing software assurance. Sports is a huge business (recreational, college, pro, high school, any level). The process of game day preparation is one of teamwork - it involves coaches, players, trainers, medical staff, and equipment managers. While fans don't see a lot of the underlying parts, it is the teams that run more efficiently which win championships.
Through the use of interaction with the audience, some various movie clips, and demonstrations I will show how each step of the software assurance process maps quite nicely to that game day process.
Since I've been a kid, I have loved two things: sports and computers. I was never talented nor coordinated enough to do sports, so I chose the latter. I am a software engineer and software security assurance specialist. I have been developing software for over 15 years and doing software security for just under 10. My focus in the security world has been on software assurance programs and static analysis. I'll code, scan, review while watching baseball, volleyball, hockey, or football (American). I have played all but football at one time or another - never for anything more than recreational purposes. As someone who doesn't qualify as physcially gifted, I love the mental and strategy side of sports.