Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reality-Checking Your Security Testing Program (SOURCE Boston 2014)

Reality-Checking Your Security Testing Program (SOURCE Boston 2014)

Your security testing program was built with certain conceptions and biases... and a lot of them are wrong. How do we re-examine our beliefs about software development to improve our testing programs and be ready for Agile, Lean, and DevOps methodologies?

Darren P Meyer (Veracode)

April 09, 2014

More Decks by Darren P Meyer (Veracode)

Other Decks in Technology


  1. 6 @DarrenPMeyer #RealitySTP Idea → Resource → Requirements → Build

    & Test → Certification → Warranty & Support Security Testing (usually) Security Testing (BETTER)
  2. 7 @DarrenPMeyer #RealitySTP “We’re Lean (or Agile)!” no you aren’t

    If you are, then what’s your role? QA and Operations Are you Fauxgile?
  3. 8 @DarrenPMeyer #RealitySTP Most of your problems are not unique

    Security is a community If you’re doing a good job, help people If you aren’t, ask for help Security is Quality You are not a special and unique snowflake
  4. 9 @DarrenPMeyer #RealitySTP And performance, reliability, maintainability, usability, time-to-market…. No

    clear & testable requirements? No priority. Developers DO care about security
  5. 12 @DarrenPMeyer #RealitySTP Go to development users’ groups Simplify security

    requirements Find and mentor security champions Automate, Automate, Automate Process Agility
  6. 13 @DarrenPMeyer #RealitySTP Speed up Build reduced policies Help, don’t

    critique Automate, automate, automate Thinking small
  7. 14 @DarrenPMeyer #RealitySTP Trusted, neutral verification Actually test, not just

    assess Must add value for them too Automate, Automate, Automate Verifying Third Parties
  8. 15 @DarrenPMeyer #RealitySTP Follow the money Be a better partner

    Automate, automate, automate Improving discovery