Reality-Checking Your Security Testing Program (SOURCE Boston 2014)

Darren Meyer Senior Security Researcher Reality-checking your Security Testing Program

2 @DarrenPMeyer #RealitySTP Compliance (probably) How did you justify your
Security Testing Program?

3 @DarrenPMeyer #RealitySTP Agility Program elasticity 3rd-party components Discovery Things
you probably didn’t consider

4 @DarrenPMeyer #RealitySTP Reality Check and how to do better

5 @DarrenPMeyer #RealitySTP Supports development and delivery Requires developer base-level
knowledge Security is not “defense” it’s Quality

6 @DarrenPMeyer #RealitySTP Idea → Resource → Requirements → Build
& Test → Certification → Warranty & Support Security Testing (usually) Security Testing (BETTER)

7 @DarrenPMeyer #RealitySTP “We’re Lean (or Agile)!” no you aren’t
If you are, then what’s your role? QA and Operations Are you Fauxgile?

8 @DarrenPMeyer #RealitySTP Most of your problems are not unique
Security is a community If you’re doing a good job, help people If you aren’t, ask for help Security is Quality You are not a special and unique snowflake

9 @DarrenPMeyer #RealitySTP And performance, reliability, maintainability, usability, time-to-market…. No
clear & testable requirements? No priority. Developers DO care about security

10 @DarrenPMeyer #RealitySTP Making Changes

11 @DarrenPMeyer #RealitySTP Control vs. Assurance Perfect is the enemy
of Good Do QA not (just) QC

12 @DarrenPMeyer #RealitySTP Go to development users’ groups Simplify security
requirements Find and mentor security champions Automate, Automate, Automate Process Agility

13 @DarrenPMeyer #RealitySTP Speed up Build reduced policies Help, don’t
critique Automate, automate, automate Thinking small

14 @DarrenPMeyer #RealitySTP Trusted, neutral verification Actually test, not just
assess Must add value for them too Automate, Automate, Automate Verifying Third Parties

15 @DarrenPMeyer #RealitySTP Follow the money Be a better partner
Automate, automate, automate Improving discovery

16 @DarrenPMeyer #RealitySTP Accountability Don’t punish: reinforce People don’t fear
change they fear being changed Aligning incentives

KEEP TALKING tweet @DarrenPMeyer or mention #RealitySTP

Reality-Checking Your Security Testing Program ...

Reality-Checking Your Security Testing Program (SOURCE Boston 2014)

Darren P Meyer (Veracode)

More Decks by Darren P Meyer (Veracode)

Other Decks in Technology

Featured

Transcript

Darren Meyer Senior Security Researcher Reality-checking your Security Testing Program

2 @DarrenPMeyer #RealitySTP Compliance (probably) How did you justify your

3 @DarrenPMeyer #RealitySTP Agility Program elasticity 3rd-party components Discovery Things

4 @DarrenPMeyer #RealitySTP Reality Check and how to do better

5 @DarrenPMeyer #RealitySTP Supports development and delivery Requires developer base-level

6 @DarrenPMeyer #RealitySTP Idea → Resource → Requirements → Build

7 @DarrenPMeyer #RealitySTP “We’re Lean (or Agile)!” no you aren’t

8 @DarrenPMeyer #RealitySTP Most of your problems are not unique

9 @DarrenPMeyer #RealitySTP And performance, reliability, maintainability, usability, time-to-market…. No

10 @DarrenPMeyer #RealitySTP Making Changes

11 @DarrenPMeyer #RealitySTP Control vs. Assurance Perfect is the enemy

12 @DarrenPMeyer #RealitySTP Go to development users’ groups Simplify security

13 @DarrenPMeyer #RealitySTP Speed up Build reduced policies Help, don’t

14 @DarrenPMeyer #RealitySTP Trusted, neutral verification Actually test, not just

15 @DarrenPMeyer #RealitySTP Follow the money Be a better partner

16 @DarrenPMeyer #RealitySTP Accountability Don’t punish: reinforce People don’t fear

KEEP TALKING tweet @DarrenPMeyer or mention #RealitySTP