Reality-Checking Your Security Testing Program (2.0)

Reality-Checking
Your Security Testing Program
Darren P Meyer
Senior Security Researcher
2.0

View Slide

Who am I?
Senior Security Researcher
Certiﬁed Scrum Master
Senior Security Instructor
Senior Technical Architect, IT Security
Security Analyst
Software Developer/Consultant

View Slide

Justiﬁcation: Compliance
Photo © mlcastle, CC BY 2.0

View Slide

You’re not testing
Gather
Requirements
Build & Test
Certify
Deploy
Warranty
& Support
Public Domain Photo provided by Peterrhyslewis via Wikimedia Commons
Security “Testing”

View Slide

Do Assurance not Control
Gather
Requirements
Build & Test
Certify
Deploy
Warranty
& Support
Quality Control

View Slide

Security is an Assurance Activity
Gather
Requirements
Build & Test
Certify
Deploy
Warranty
& Support
Security Testing
Security Testing
Security Testing

View Slide

Understand your real process
Photo © visualpun.ch CC BY SA 2.0

View Slide

We are Agile!
Signs you’re actually “Fauxgile”:
•  Zero product documentation
•  Lots of project documentation
•  Teams bigger than about 9 people
•  Testing is only done by “QA”
•  Lack of key Agile metrics

View Slide

You are not special
Public Domain Photo produced by USDA

View Slide

Making Changes
Photo © 2008 Mynameisben123 CC BY 2.0

View Slide

Agility
Photo © Laura Bittner CC BY 2.0

View Slide

Elasticity
Photo © Who-is-me CC BY SA 2.5

View Slide

Discovery
Photo © Sebastian Ritter CC BY SA 2.5

View Slide

Reality-Checking Your Security Testing Program (2.0)

Reality-Checking Your Security Testing Program (2.0)

Darren P Meyer (Veracode)

More Decks by Darren P Meyer (Veracode)

Other Decks in Technology

Featured

Transcript