Reality-Checking Your Security Testing Program Darren P Meyer Senior Security Researcher 2.0 

Who am I? Senior Security Researcher Certified Scrum Master Senior Security Instructor Senior Technical Architect, IT Security Security Analyst Software Developer/Consultant 

Justification: Compliance Photo © mlcastle, CC BY 2.0 

You’re not testing Gather Requirements Build & Test Certify Deploy Warranty & Support Public Domain Photo provided by Peterrhyslewis via Wikimedia Commons Security “Testing” 

Do Assurance not Control Gather Requirements Build & Test Certify Deploy Warranty & Support Public Domain Photo provided by Peterrhyslewis via Wikimedia Commons Quality Control 

Security is an Assurance Activity Gather Requirements Build & Test Certify Deploy Warranty & Support Public Domain Photo provided by Peterrhyslewis via Wikimedia Commons Security Testing Security Testing Security Testing 

Understand your real process Photo © visualpun.ch CC BY SA 2.0 

We are Agile! Signs you’re actually “Fauxgile”: •  Zero product documentation •  Lots of project documentation •  Teams bigger than about 9 people •  Testing is only done by “QA” •  Lack of key Agile metrics 

You are not special Public Domain Photo produced by USDA 

Making Changes Photo © 2008 Mynameisben123 CC BY 2.0 

Agility Photo © Laura Bittner CC BY 2.0 

Elasticity Photo © Who-is-me CC BY SA 2.5 

Discovery Photo © Sebastian Ritter CC BY SA 2.5 

Culture Photo © Esv CC BY SA 2.5 

Developers do care about security Photo © 2001 HackNY.org by @matylda CC BY SA 2.0 

Align incentives Photo © Pat David CC BY SA 2.0 

People don’t fear change Photo © Felix Burton CC BY 2.0 

Yep. This. Photo © Daniel X. O’Neil CC BY 2.0 

Keep Talking Photo © Chiltepinster CC BY SA 3.0 @DarrenPMeyer / #RealitySTP