Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reality Checking Your Security Testing Program ...

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Darren P Meyer (Veracode) Darren P Meyer (Veracode)
July 10, 2014
Technology
0
89

Reality Checking Your Security Testing Program (Converge Detroit 2014)

Your security testing program was built with certain conceptions and biases... and a lot of them are wrong. How do we re-examine our beliefs about software development to improve our testing programs and be ready for Agile, Lean, and DevOps methodologies?

Updated slightly for Converge Detroit 2014 (cf https://speakerdeck.com/darrenpmeyer_vc/reality-checking-your-security-testing-program-source-boston-2014)

Avatar for Darren P Meyer (Veracode)

Darren P Meyer (Veracode)

July 10, 2014
Tweet

More Decks by Darren P Meyer (Veracode)

See All by Darren P Meyer (Veracode)
Reality-Checking Your Security Testing Program (2.0)
Avatar for Darren P Meyer (Veracode) darrenpmeyer_vc
0
45
Creative Ways To Get In Trouble: Distraction & Vengeance Techniques
Avatar for Darren P Meyer (Veracode) darrenpmeyer_vc
0
110
Reality-Checking Your Security Testing Program (SOURCE Boston 2014)
Avatar for Darren P Meyer (Veracode) darrenpmeyer_vc
0
170

Other Decks in Technology

See All in Technology
~Everything as Codeを諦めない~ 後からCDK
Avatar for mu7889yoon / Yuta Nakamura mu7889yoon
3
430
Frontier Agents (Kiro autonomous agent / AWS Security Agent / AWS DevOps Agent) の紹介
Avatar for msysh msysh
3
180
Claude_CodeでSEOを最適化する_AI_Ops_Community_Vol.2__マーケティングx_AIはここまで進化した.pdf
Avatar for 小笠原理久 riku_423
2
590
GitHub Issue Templates + Coding Agentで簡単みんなでIaC/Easy IaC for Everyone with GitHub Issue Templates + Coding Agent
Avatar for AEON aeonpeople
1
240
Digitization部 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
6.8k
学生・新卒・ジュニアから目指すSRE
Avatar for Hiroya Onoe hiroyaonoe
2
640
予期せぬコストの急増を障害のように扱う――「コスト版ポストモーテム」の導入とその後の改善
Avatar for Masahiro Yoshizawa muziyoshiz
1
2k
AWS Network Firewall Proxyを触ってみた
Avatar for nagisa_53 nagisa53
1
240
ファインディの横断SREがTakumi byGMOと取り組む、セキュリティと開発スピードの両立
Avatar for adachi.ryo rvirus0817
1
1.4k
22nd ACRi Webinar - NTT Kawahara-san's slide
Avatar for Nao Sumikawa nao_sumikawa
0
100
クレジットカード決済基盤を支えるSRE - 厳格な監査とSRE運用の両立 (SRE Kaigi 2026)
Avatar for capytan capytan
6
2.8k
顧客との商談議事録をみんなで読んで顧客解像度を上げよう
Avatar for shibayu36 shibayu36
0
260

Featured

See All Featured
Discover your Explorer Soul
Avatar for Emna emna__ayadi
2
1.1k
SEO for Brand Visibility & Recognition
Avatar for Aleyda Solis aleyda
0
4.2k
The Language of Interfaces
Avatar for Des Traynor destraynor
162
26k
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
31
5.8k
First, design no harm
Avatar for Per Axbom axbom
PRO
2
1.1k
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
515
110k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
254
22k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
38
2.7k
Digital Ethics as a Driver of Design Innovation
Avatar for Per Axbom axbom
PRO
1
180
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
25
1.7k
Accessibility Awareness
Avatar for Sarah Abderemane sabderemane
0
53
Google's AI Overviews - The New Search
Avatar for Barry Adams badams
0
910

Transcript

  1. Darren Meyer Senior Security Researcher Reality-checking your Security Testing Program

  2. 2 @DarrenPMeyer #RealitySTP Compliance (probably) How did you justify your

    Security Testing Program?

  3. 3 @DarrenPMeyer #RealitySTP critical = (scary * compliance-y)

  4. 4 @DarrenPMeyer #RealitySTP Agility Program elasticity 3rd-party components Discovery Things

    you probably didn’t consider

  5. 5 @DarrenPMeyer #RealitySTP Reality Check and how to do better

  6. 6 @DarrenPMeyer #RealitySTP Supports development and delivery Requires developer base-level

    knowledge Security is not “defense” it’s Quality

  7. 7 @DarrenPMeyer #RealitySTP Idea → Resource → Requirements → Build

    & Test → Certification → Warranty & Support Security Testing (usually) Security Testing (BETTER)

  8. 8 @DarrenPMeyer #RealitySTP “We’re Lean (or Agile)!” no you aren’t

    If you are, then what’s your role? QA and Operations Are you Fauxgile?

  9. 9 @DarrenPMeyer #RealitySTP Most of your problems are not unique

    Security is a community If you’re doing a good job, help people If you aren’t, ask for help Security is Quality You are not a special and unique snowflake

  10. 10 @DarrenPMeyer #RealitySTP And performance, reliability, maintainability, usability, time-to-market…. No

    clear & testable requirements? No priority. Developers DO care about security

  11. 11 @DarrenPMeyer #RealitySTP Making Changes

  12. 12 @DarrenPMeyer #RealitySTP Control vs. Assurance Perfect is the enemy

    of Good Do QA not (just) QC

  13. 13 @DarrenPMeyer #RealitySTP Go to development users’ groups Simplify security

    requirements Find and mentor security champions automate, automate, automate Process Agility

  14. 14 @DarrenPMeyer #RealitySTP Speed up Build reduced policies Help, don’t

    critique automate, automate, automate Thinking small

  15. 15 @DarrenPMeyer #RealitySTP Reduced/Flexible policy sets Checklists and Cheatsheets Automate,

    Automate, Automate Elasticity

  16. 16 @DarrenPMeyer #RealitySTP Trusted, neutral verification Actually test, not just

    assess Must add value for them too automate, automate, automate Verifying Third Parties

  17. 17 @DarrenPMeyer #RealitySTP Follow the money Be a better partner

    automate, automate, automate Improving discovery

  18. 18 @DarrenPMeyer #RealitySTP Accountability Don’t punish: reinforce People don’t fear

    change they fear being changed Aligning incentives

  19. KEEP TALKING tweet @DarrenPMeyer or mention #RealitySTP