Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reality Checking Your Security Testing Program (Converge Detroit 2014)

Darren P Meyer (Veracode)
July 10, 2014
Technology
0
79

Reality Checking Your Security Testing Program (Converge Detroit 2014)

Your security testing program was built with certain conceptions and biases... and a lot of them are wrong. How do we re-examine our beliefs about software development to improve our testing programs and be ready for Agile, Lean, and DevOps methodologies?

Updated slightly for Converge Detroit 2014 (cf https://speakerdeck.com/darrenpmeyer_vc/reality-checking-your-security-testing-program-source-boston-2014)

Darren P Meyer (Veracode)

July 10, 2014
Tweet

More Decks by Darren P Meyer (Veracode)

See All by Darren P Meyer (Veracode)
Reality-Checking Your Security Testing Program (2.0)
darrenpmeyer_vc
0
33
Creative Ways To Get In Trouble: Distraction & Vengeance Techniques
darrenpmeyer_vc
0
98
Reality-Checking Your Security Testing Program (SOURCE Boston 2014)
darrenpmeyer_vc
0
88

Other Decks in Technology

See All in Technology
ChatGPTがもたらす新しいチーム開発の現場
satoshirobatofujimoto
0
170
どうしてもcgoから逃げられなくなったあなたに知ってほしいcgoの使い方入門
sakiengineer
1
290
How to Write Robust Python Code
hayaosuzuki
5
1k
これから始める継続的インテグレーション - GitHub Actions編
devops_vtj
0
150
Predictive back transition Animation on Android 14
line_developers
PRO
1
250
C# の async/await は実際にどうやって動いているか
nenonaninu
3
11k
とあるQAエンジニアが、マイクロサービスの開発チームと、出会ったーー / Scrum Fest Niigata 2023
yoyakoba
0
130
Amazon VPC Lattice を使い始める前におさえておきたいポイント n 選 / Introduction to VPC Lattice
hayaok3
1
900
テスト設計チュートリアル/Test Design Tutorial
goyoki
7
4.4k
Tech Dojo Introduction Of Monitoring
norimuraz
0
290
LLMの普及による機械学習の民主化とMLPdMの重要性 / democratization-of-ml-and-importance-of-mlpdm-by-llm
yuya4
2
2.3k
株式会社オプティム_採用会社紹介資料 / optim-recruit
optim
0
9.5k

Featured

See All Featured
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
19k
Making the Leap to Tech Lead
cromwellryan
118
7.8k
No one is an island. Learnings from fostering a developers community.
thoeni
13
1.7k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.4k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.3k
Atom: Resistance is Futile
akmur
256
24k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M
We Have a Design System, Now What?
morganepeng
38
6.1k
Imperfection Machines: The Place of Print at Facebook
scottboms
255
12k
KATA
mclloyd
13
10k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
The Art of Programming - Codeland 2020
erikaheidi
37
11k

Transcript

  1. Darren Meyer
    Senior Security Researcher
    Reality-checking your
    Security Testing Program

    View Slide

  2. 2
    @DarrenPMeyer #RealitySTP
    Compliance
    (probably)
    How did you justify your
    Security Testing Program?

    View Slide

  3. 3
    @DarrenPMeyer #RealitySTP
    critical = (scary * compliance-y)

    View Slide

  4. 4
    @DarrenPMeyer #RealitySTP
    Agility
    Program elasticity
    3rd-party components
    Discovery
    Things you probably didn’t consider

    View Slide

  5. 5
    @DarrenPMeyer #RealitySTP
    Reality Check
    and how to do better

    View Slide

  6. 6
    @DarrenPMeyer #RealitySTP
    Supports development and delivery
    Requires developer base-level knowledge
    Security is not “defense”
    it’s Quality

    View Slide

  7. 7
    @DarrenPMeyer #RealitySTP
    Idea
    → Resource
    → Requirements
    → Build & Test
    → Certification
    → Warranty & Support
    Security Testing
    (usually)
    Security Testing
    (BETTER)

    View Slide

  8. 8
    @DarrenPMeyer #RealitySTP
    “We’re Lean (or Agile)!”
    no you aren’t
    If you are, then what’s your role?
    QA and Operations
    Are you Fauxgile?

    View Slide

  9. 9
    @DarrenPMeyer #RealitySTP
    Most of your problems are not unique
    Security is a community
    If you’re doing a good job, help people
    If you aren’t, ask for help
    Security is Quality
    You are not a
    special and unique snowflake

    View Slide

  10. 10
    @DarrenPMeyer #RealitySTP
    And performance, reliability, maintainability,
    usability, time-to-market….
    No clear & testable requirements?
    No priority.
    Developers DO care about security

    View Slide

  11. 11
    @DarrenPMeyer #RealitySTP
    Making Changes

    View Slide

  12. 12
    @DarrenPMeyer #RealitySTP
    Control vs. Assurance
    Perfect is the enemy of Good
    Do QA not (just) QC

    View Slide

  13. 13
    @DarrenPMeyer #RealitySTP
    Go to development users’ groups
    Simplify security requirements
    Find and mentor security champions
    automate, automate, automate
    Process Agility

    View Slide

  14. 14
    @DarrenPMeyer #RealitySTP
    Speed up
    Build reduced policies
    Help, don’t critique
    automate, automate, automate
    Thinking small

    View Slide

  15. 15
    @DarrenPMeyer #RealitySTP
    Reduced/Flexible policy sets
    Checklists and Cheatsheets
    Automate, Automate, Automate
    Elasticity

    View Slide

  16. 16
    @DarrenPMeyer #RealitySTP
    Trusted, neutral verification
    Actually test, not just assess
    Must add value for them too
    automate, automate, automate
    Verifying Third Parties

    View Slide

  17. 17
    @DarrenPMeyer #RealitySTP
    Follow the money
    Be a better partner
    automate, automate, automate
    Improving discovery

    View Slide

  18. 18
    @DarrenPMeyer #RealitySTP
    Accountability
    Don’t punish: reinforce
    People don’t fear change
    they fear being changed
    Aligning incentives

    View Slide

  19. KEEP TALKING
    tweet @DarrenPMeyer or mention #RealitySTP

    View Slide