Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reality-Checking Your Security Testing Program (SOURCE Boston 2014)

Reality-Checking Your Security Testing Program (SOURCE Boston 2014)

Your security testing program was built with certain conceptions and biases... and a lot of them are wrong. How do we re-examine our beliefs about software development to improve our testing programs and be ready for Agile, Lean, and DevOps methodologies?


Darren P Meyer (Veracode)

April 09, 2014


  1. Darren Meyer Senior Security Researcher Reality-checking your Security Testing Program

  2. 2 @DarrenPMeyer #RealitySTP Compliance (probably) How did you justify your

    Security Testing Program?
  3. 3 @DarrenPMeyer #RealitySTP Agility Program elasticity 3rd-party components Discovery Things

    you probably didn’t consider
  4. 4 @DarrenPMeyer #RealitySTP Reality Check and how to do better

  5. 5 @DarrenPMeyer #RealitySTP Supports development and delivery Requires developer base-level

    knowledge Security is not “defense” it’s Quality
  6. 6 @DarrenPMeyer #RealitySTP Idea → Resource → Requirements → Build

    & Test → Certification → Warranty & Support Security Testing (usually) Security Testing (BETTER)
  7. 7 @DarrenPMeyer #RealitySTP “We’re Lean (or Agile)!” no you aren’t

    If you are, then what’s your role? QA and Operations Are you Fauxgile?
  8. 8 @DarrenPMeyer #RealitySTP Most of your problems are not unique

    Security is a community If you’re doing a good job, help people If you aren’t, ask for help Security is Quality You are not a special and unique snowflake
  9. 9 @DarrenPMeyer #RealitySTP And performance, reliability, maintainability, usability, time-to-market…. No

    clear & testable requirements? No priority. Developers DO care about security
  10. 10 @DarrenPMeyer #RealitySTP Making Changes

  11. 11 @DarrenPMeyer #RealitySTP Control vs. Assurance Perfect is the enemy

    of Good Do QA not (just) QC
  12. 12 @DarrenPMeyer #RealitySTP Go to development users’ groups Simplify security

    requirements Find and mentor security champions Automate, Automate, Automate Process Agility
  13. 13 @DarrenPMeyer #RealitySTP Speed up Build reduced policies Help, don’t

    critique Automate, automate, automate Thinking small
  14. 14 @DarrenPMeyer #RealitySTP Trusted, neutral verification Actually test, not just

    assess Must add value for them too Automate, Automate, Automate Verifying Third Parties
  15. 15 @DarrenPMeyer #RealitySTP Follow the money Be a better partner

    Automate, automate, automate Improving discovery
  16. 16 @DarrenPMeyer #RealitySTP Accountability Don’t punish: reinforce People don’t fear

    change they fear being changed Aligning incentives
  17. KEEP TALKING tweet @DarrenPMeyer or mention #RealitySTP