Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reality Checking Your Security Testing Program (Converge Detroit 2014)

Darren P Meyer (Veracode)
July 10, 2014
Technology
0
81

Reality Checking Your Security Testing Program (Converge Detroit 2014)

Your security testing program was built with certain conceptions and biases... and a lot of them are wrong. How do we re-examine our beliefs about software development to improve our testing programs and be ready for Agile, Lean, and DevOps methodologies?

Updated slightly for Converge Detroit 2014 (cf https://speakerdeck.com/darrenpmeyer_vc/reality-checking-your-security-testing-program-source-boston-2014)

Darren P Meyer (Veracode)

July 10, 2014
Tweet

More Decks by Darren P Meyer (Veracode)

See All by Darren P Meyer (Veracode)
Reality-Checking Your Security Testing Program (2.0)
darrenpmeyer_vc
0
35
Creative Ways To Get In Trouble: Distraction & Vengeance Techniques
darrenpmeyer_vc
0
100
Reality-Checking Your Security Testing Program (SOURCE Boston 2014)
darrenpmeyer_vc
0
120

Other Decks in Technology

See All in Technology
シン・Kafka / shin-kafka
oracle4engineer
PRO
7
2.7k
少数チームで挑む: SwiftUI, TCA, KMPを用いた 新規動画配信アプリ 「ABEMA Live」の開発について
tomu28
0
530
LLM とプロンプトエンジニアリング/チューターをビルドする / LLM and Prompt Engineering and Building Tutors
ks91
PRO
0
220
PHPカンファレンス小田原2024
ysknsid25
3
660
A (short) History of AI
harishpillay
0
110
Janus
bkuhlmann
1
490
TransitGatewayの基礎
toru_kubota
0
230
Google Cloud の AI を支える裏側のインフラを垣間見る!
maroon1st
0
120
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
110
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
0
200
「手動オペレーションに定評がある」と言われた私が心がけていること / phpcon_odawara2024
blue_goheimochi
2
320
AIQ株式会社 エンジニア向け会社紹介資料
aiqlab
0
360

Featured

See All Featured
Facilitating Awesome Meetings
lara
41
5.6k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
124
32k
The MySQL Ecosystem @ GitHub 2015
samlambert
242
12k
The Illustrated Children's Guide to Kubernetes
chrisshort
29
46k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
15
1.4k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.4k
What's new in Ruby 2.0
geeforr
337
31k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
243
20k
Building a Scalable Design System with Sketch
lauravandoore
455
32k
Building Your Own Lightsaber
phodgson
98
5.7k
Infographics Made Easy
chrislema
237
18k

Transcript

  1. Darren Meyer Senior Security Researcher Reality-checking your Security Testing Program

  2. 2 @DarrenPMeyer #RealitySTP Compliance (probably) How did you justify your

    Security Testing Program?

  3. 3 @DarrenPMeyer #RealitySTP critical = (scary * compliance-y)

  4. 4 @DarrenPMeyer #RealitySTP Agility Program elasticity 3rd-party components Discovery Things

    you probably didn’t consider

  5. 5 @DarrenPMeyer #RealitySTP Reality Check and how to do better

  6. 6 @DarrenPMeyer #RealitySTP Supports development and delivery Requires developer base-level

    knowledge Security is not “defense” it’s Quality

  7. 7 @DarrenPMeyer #RealitySTP Idea → Resource → Requirements → Build

    & Test → Certification → Warranty & Support Security Testing (usually) Security Testing (BETTER)

  8. 8 @DarrenPMeyer #RealitySTP “We’re Lean (or Agile)!” no you aren’t

    If you are, then what’s your role? QA and Operations Are you Fauxgile?

  9. 9 @DarrenPMeyer #RealitySTP Most of your problems are not unique

    Security is a community If you’re doing a good job, help people If you aren’t, ask for help Security is Quality You are not a special and unique snowflake

  10. 10 @DarrenPMeyer #RealitySTP And performance, reliability, maintainability, usability, time-to-market…. No

    clear & testable requirements? No priority. Developers DO care about security

  11. 11 @DarrenPMeyer #RealitySTP Making Changes

  12. 12 @DarrenPMeyer #RealitySTP Control vs. Assurance Perfect is the enemy

    of Good Do QA not (just) QC

  13. 13 @DarrenPMeyer #RealitySTP Go to development users’ groups Simplify security

    requirements Find and mentor security champions automate, automate, automate Process Agility

  14. 14 @DarrenPMeyer #RealitySTP Speed up Build reduced policies Help, don’t

    critique automate, automate, automate Thinking small

  15. 15 @DarrenPMeyer #RealitySTP Reduced/Flexible policy sets Checklists and Cheatsheets Automate,

    Automate, Automate Elasticity

  16. 16 @DarrenPMeyer #RealitySTP Trusted, neutral verification Actually test, not just

    assess Must add value for them too automate, automate, automate Verifying Third Parties

  17. 17 @DarrenPMeyer #RealitySTP Follow the money Be a better partner

    automate, automate, automate Improving discovery

  18. 18 @DarrenPMeyer #RealitySTP Accountability Don’t punish: reinforce People don’t fear

    change they fear being changed Aligning incentives

  19. KEEP TALKING tweet @DarrenPMeyer or mention #RealitySTP