Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reality-Checking Your Security Testing Program (2.0)

Darren P Meyer (Veracode)
September 23, 2014
Technology
0
35

Reality-Checking Your Security Testing Program (2.0)

Most software security testing programs are built to satisfy a compliance requirement or address a pain point. But they're built with misconceptions about what's important, what software quality means, and how software development works in practice.

This presentation explores approaches to improving a security testing practice in an Agile environment, informed by work in and conversations with organizations around the world.

Darren P Meyer (Veracode)

September 23, 2014
Tweet

More Decks by Darren P Meyer (Veracode)

See All by Darren P Meyer (Veracode)
Reality Checking Your Security Testing Program (Converge Detroit 2014)
darrenpmeyer_vc
0
81
Creative Ways To Get In Trouble: Distraction & Vengeance Techniques
darrenpmeyer_vc
0
100
Reality-Checking Your Security Testing Program (SOURCE Boston 2014)
darrenpmeyer_vc
0
120

Other Decks in Technology

See All in Technology
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
350
ServiceNow Knowledge Learning Rise up
manarobot
0
210
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
170
本当のAWS基礎
toru_kubota
0
510
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
0
140
Além do else! Categorizando Pokemóns com Pattern Matching no JavaScript
wmsbill
0
610
非同期推論システムによるコスト削減と信頼性向上
koki_nishihara
0
240
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
290
Meta Quest 3 で動く桜マシマシ WebXR アプリを IBM Cloud Code Engine と Babylon.js で作った話
1ftseabass
PRO
0
120
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
1
460
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
280
Azureの基本的な権限管理の勉強会
yhana
0
300

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
2
3.4k
Product Roadmaps are Hard
iamctodd
44
9.7k
Raft: Consensus for Rubyists
vanstee
132
6.3k
RailsConf 2023
tenderlove
4
540
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Six Lessons from altMBA
skipperchong
21
3k
Rebuilding a faster, lazier Slack
samanthasiow
73
8.2k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k
Designing for Performance
lara
601
67k
Fantastic passwords and where to find them - at NoRuKo
philnash
37
2.5k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
17
6.4k
Large-scale JavaScript Application Architecture
addyosmani
504
110k

Transcript

  1. Reality-Checking Your Security Testing Program Darren P Meyer Senior Security

    Researcher 2.0

  2. Who am I? Senior Security Researcher Certified Scrum Master Senior

    Security Instructor Senior Technical Architect, IT Security Security Analyst Software Developer/Consultant

  3. Justification: Compliance Photo © mlcastle, CC BY 2.0

  4. You’re not testing Gather Requirements Build & Test Certify Deploy

    Warranty & Support Public Domain Photo provided by Peterrhyslewis via Wikimedia Commons Security “Testing”

  5. Do Assurance not Control Gather Requirements Build & Test Certify

    Deploy Warranty & Support Public Domain Photo provided by Peterrhyslewis via Wikimedia Commons Quality Control

  6. Security is an Assurance Activity Gather Requirements Build & Test

    Certify Deploy Warranty & Support Public Domain Photo provided by Peterrhyslewis via Wikimedia Commons Security Testing Security Testing Security Testing

  7. Understand your real process Photo © visualpun.ch CC BY SA

    2.0

  8. We are Agile! Signs you’re actually “Fauxgile”: •  Zero product

    documentation •  Lots of project documentation •  Teams bigger than about 9 people •  Testing is only done by “QA” •  Lack of key Agile metrics

  9. You are not special Public Domain Photo produced by USDA

  10. Making Changes Photo © 2008 Mynameisben123 CC BY 2.0

  11. Agility Photo © Laura Bittner CC BY 2.0

  12. Elasticity Photo © Who-is-me CC BY SA 2.5

  13. Discovery Photo © Sebastian Ritter CC BY SA 2.5

  14. Culture Photo © Esv CC BY SA 2.5

  15. Developers do care about security Photo © 2001 HackNY.org by

    @matylda CC BY SA 2.0

  16. Align incentives Photo © Pat David CC BY SA 2.0

  17. People don’t fear change Photo © Felix Burton CC BY

    2.0

  18. Yep. This. Photo © Daniel X. O’Neil CC BY 2.0

  19. Keep Talking Photo © Chiltepinster CC BY SA 3.0 @DarrenPMeyer

    / #RealitySTP