Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reality-Checking Your Security Testing Program ...

Darren P Meyer (Veracode)
September 23, 2014
Technology
0
40

Reality-Checking Your Security Testing Program (2.0)

Most software security testing programs are built to satisfy a compliance requirement or address a pain point. But they're built with misconceptions about what's important, what software quality means, and how software development works in practice.

This presentation explores approaches to improving a security testing practice in an Agile environment, informed by work in and conversations with organizations around the world.

Darren P Meyer (Veracode)

September 23, 2014
Tweet

More Decks by Darren P Meyer (Veracode)

See All by Darren P Meyer (Veracode)
Reality Checking Your Security Testing Program (Converge Detroit 2014)
darrenpmeyer_vc
0
85
Creative Ways To Get In Trouble: Distraction & Vengeance Techniques
darrenpmeyer_vc
0
110
Reality-Checking Your Security Testing Program (SOURCE Boston 2014)
darrenpmeyer_vc
0
140

Other Decks in Technology

See All in Technology
NilAway による静的解析で「10 億ドル」を節約する #kyotogo / Kyoto Go 56th
ytaka23
3
370
複雑性の高いオブジェクト編集に向き合う: プラガブルなReactフォーム設計
righttouch
PRO
0
110
ガバメントクラウドのセキュリティ対策事例について
fujisawaryohei
0
530
Jetpack Composeで始めるServer Cache State
ogaclejapan
2
160
podman_update_2024-12
orimanabu
1
260
NW-JAWS #14 re:Invent 2024(予選落ち含)で 発表された推しアップデートについて
nagisa53
0
250
KubeCon NA 2024 Recap / Running WebAssembly (Wasm) Workloads Side-by-Side with Container Workloads
z63d
1
240
日本版とグローバル版のモバイルアプリ統合の開発の裏側と今後の展望
miichan
1
120
watsonx.ai Dojo #5 ファインチューニングとInstructLAB
oniak3ibm
PRO
0
160
新機能VPCリソースエンドポイント機能検証から得られた考察
duelist2020jp
0
210
コンテナセキュリティのためのLandlock入門
nullpo_head
2
320
アップデート紹介:AWS Data Transfer Terminal
stknohg
PRO
0
170

Featured

See All Featured
Building a Scalable Design System with Sketch
lauravandoore
460
33k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
A Philosophy of Restraint
colly
203
16k
Agile that works and the tools we love
rasmusluckow
328
21k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
45
2.2k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
59k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
28
900
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.4k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
810
The Cult of Friendly URLs
andyhume
78
6.1k

Transcript

  1. Reality-Checking Your Security Testing Program Darren P Meyer Senior Security

    Researcher 2.0

  2. Who am I? Senior Security Researcher Certified Scrum Master Senior

    Security Instructor Senior Technical Architect, IT Security Security Analyst Software Developer/Consultant

  3. Justification: Compliance Photo © mlcastle, CC BY 2.0

  4. You’re not testing Gather Requirements Build & Test Certify Deploy

    Warranty & Support Public Domain Photo provided by Peterrhyslewis via Wikimedia Commons Security “Testing”

  5. Do Assurance not Control Gather Requirements Build & Test Certify

    Deploy Warranty & Support Public Domain Photo provided by Peterrhyslewis via Wikimedia Commons Quality Control

  6. Security is an Assurance Activity Gather Requirements Build & Test

    Certify Deploy Warranty & Support Public Domain Photo provided by Peterrhyslewis via Wikimedia Commons Security Testing Security Testing Security Testing

  7. Understand your real process Photo © visualpun.ch CC BY SA

    2.0

  8. We are Agile! Signs you’re actually “Fauxgile”: •  Zero product

    documentation •  Lots of project documentation •  Teams bigger than about 9 people •  Testing is only done by “QA” •  Lack of key Agile metrics

  9. You are not special Public Domain Photo produced by USDA

  10. Making Changes Photo © 2008 Mynameisben123 CC BY 2.0

  11. Agility Photo © Laura Bittner CC BY 2.0

  12. Elasticity Photo © Who-is-me CC BY SA 2.5

  13. Discovery Photo © Sebastian Ritter CC BY SA 2.5

  14. Culture Photo © Esv CC BY SA 2.5

  15. Developers do care about security Photo © 2001 HackNY.org by

    @matylda CC BY SA 2.0

  16. Align incentives Photo © Pat David CC BY SA 2.0

  17. People don’t fear change Photo © Felix Burton CC BY

    2.0

  18. Yep. This. Photo © Daniel X. O’Neil CC BY 2.0

  19. Keep Talking Photo © Chiltepinster CC BY SA 3.0 @DarrenPMeyer

    / #RealitySTP