Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reality Checking Your Security Testing Program ...

Darren P Meyer (Veracode)
July 10, 2014
Technology
0
85

Reality Checking Your Security Testing Program (Converge Detroit 2014)

Your security testing program was built with certain conceptions and biases... and a lot of them are wrong. How do we re-examine our beliefs about software development to improve our testing programs and be ready for Agile, Lean, and DevOps methodologies?

Updated slightly for Converge Detroit 2014 (cf https://speakerdeck.com/darrenpmeyer_vc/reality-checking-your-security-testing-program-source-boston-2014)

Darren P Meyer (Veracode)

July 10, 2014
Tweet

More Decks by Darren P Meyer (Veracode)

See All by Darren P Meyer (Veracode)
Reality-Checking Your Security Testing Program (2.0)
darrenpmeyer_vc
0
40
Creative Ways To Get In Trouble: Distraction & Vengeance Techniques
darrenpmeyer_vc
0
110
Reality-Checking Your Security Testing Program (SOURCE Boston 2014)
darrenpmeyer_vc
0
140

Other Decks in Technology

See All in Technology
スタートアップで取り組んでいるAzureとMicrosoft 365のセキュリティ対策/How to Improve Azure and Microsoft 365 Security at Startup
yuj1osm
0
210
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 @ AXIES 2024
ritou
3
1.4k
継続的にアウトカムを生み出し ビジネスにつなげる、 戦略と運営に対するタイミーのQUEST(探求)
zigorou
0
510
AI時代のデータセンターネットワーク
lycorptech_jp
PRO
1
280
社内イベント管理システムを1週間でAKSからACAに移行した話し
shingo_kawahara
0
180
How to be an AWS Community Builder | 君もAWS Community Builderになろう!〜2024 冬 CB募集直前対策編?!〜
coosuke
PRO
2
2.8k
KnowledgeBaseDocuments APIでベクトルインデックス管理を自動化する
iidaxs
1
250
レンジャーシステムズ | 会社紹介(採用ピッチ)
rssytems
0
150
マルチプロダクト開発の現場でAWS Security Hubを1年以上運用して得た教訓
muziyoshiz
2
2.1k
私なりのAIのご紹介 [2024年版]
qt_luigi
1
120
UI State設計とテスト方針
rmakiyama
2
320
アップデート紹介:AWS Data Transfer Terminal
stknohg
PRO
0
170

Featured

See All Featured
Unsuck your backbone
ammeep
669
57k
Raft: Consensus for Rubyists
vanstee
137
6.7k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Code Reviewing Like a Champion
maltzj
520
39k
Done Done
chrislema
181
16k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5.1k
The Invisible Side of Design
smashingmag
298
50k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
48
2.2k
How GitHub (no longer) Works
holman
311
140k
The Cost Of JavaScript in 2023
addyosmani
45
7k

Transcript

  1. Darren Meyer Senior Security Researcher Reality-checking your Security Testing Program

  2. 2 @DarrenPMeyer #RealitySTP Compliance (probably) How did you justify your

    Security Testing Program?

  3. 3 @DarrenPMeyer #RealitySTP critical = (scary * compliance-y)

  4. 4 @DarrenPMeyer #RealitySTP Agility Program elasticity 3rd-party components Discovery Things

    you probably didn’t consider

  5. 5 @DarrenPMeyer #RealitySTP Reality Check and how to do better

  6. 6 @DarrenPMeyer #RealitySTP Supports development and delivery Requires developer base-level

    knowledge Security is not “defense” it’s Quality

  7. 7 @DarrenPMeyer #RealitySTP Idea → Resource → Requirements → Build

    & Test → Certification → Warranty & Support Security Testing (usually) Security Testing (BETTER)

  8. 8 @DarrenPMeyer #RealitySTP “We’re Lean (or Agile)!” no you aren’t

    If you are, then what’s your role? QA and Operations Are you Fauxgile?

  9. 9 @DarrenPMeyer #RealitySTP Most of your problems are not unique

    Security is a community If you’re doing a good job, help people If you aren’t, ask for help Security is Quality You are not a special and unique snowflake

  10. 10 @DarrenPMeyer #RealitySTP And performance, reliability, maintainability, usability, time-to-market…. No

    clear & testable requirements? No priority. Developers DO care about security

  11. 11 @DarrenPMeyer #RealitySTP Making Changes

  12. 12 @DarrenPMeyer #RealitySTP Control vs. Assurance Perfect is the enemy

    of Good Do QA not (just) QC

  13. 13 @DarrenPMeyer #RealitySTP Go to development users’ groups Simplify security

    requirements Find and mentor security champions automate, automate, automate Process Agility

  14. 14 @DarrenPMeyer #RealitySTP Speed up Build reduced policies Help, don’t

    critique automate, automate, automate Thinking small

  15. 15 @DarrenPMeyer #RealitySTP Reduced/Flexible policy sets Checklists and Cheatsheets Automate,

    Automate, Automate Elasticity

  16. 16 @DarrenPMeyer #RealitySTP Trusted, neutral verification Actually test, not just

    assess Must add value for them too automate, automate, automate Verifying Third Parties

  17. 17 @DarrenPMeyer #RealitySTP Follow the money Be a better partner

    automate, automate, automate Improving discovery

  18. 18 @DarrenPMeyer #RealitySTP Accountability Don’t punish: reinforce People don’t fear

    change they fear being changed Aligning incentives

  19. KEEP TALKING tweet @DarrenPMeyer or mention #RealitySTP