Reality Checking Your Security Testing Program (Converge Detroit 2014)

Slide 1

Slide 1 text

Darren Meyer Senior Security Researcher Reality-checking your Security Testing Program

Slide 2

Slide 2 text

2 @DarrenPMeyer #RealitySTP Compliance (probably) How did you justify your Security Testing Program?

Slide 3

Slide 3 text

3 @DarrenPMeyer #RealitySTP critical = (scary * compliance-y)

Slide 4

Slide 4 text

4 @DarrenPMeyer #RealitySTP Agility Program elasticity 3rd-party components Discovery Things you probably didn’t consider

Slide 5

Slide 5 text

5 @DarrenPMeyer #RealitySTP Reality Check and how to do better

Slide 6

Slide 6 text

6 @DarrenPMeyer #RealitySTP Supports development and delivery Requires developer base-level knowledge Security is not “defense” it’s Quality

Slide 7

Slide 7 text

7 @DarrenPMeyer #RealitySTP Idea → Resource → Requirements → Build & Test → Certification → Warranty & Support Security Testing (usually) Security Testing (BETTER)

Slide 8

Slide 8 text

8 @DarrenPMeyer #RealitySTP “We’re Lean (or Agile)!” no you aren’t If you are, then what’s your role? QA and Operations Are you Fauxgile?

Slide 9

Slide 9 text

9 @DarrenPMeyer #RealitySTP Most of your problems are not unique Security is a community If you’re doing a good job, help people If you aren’t, ask for help Security is Quality You are not a special and unique snowflake

Slide 10

Slide 10 text

10 @DarrenPMeyer #RealitySTP And performance, reliability, maintainability, usability, time-to-market…. No clear & testable requirements? No priority. Developers DO care about security

Slide 11

Slide 11 text

11 @DarrenPMeyer #RealitySTP Making Changes

Slide 12

Slide 12 text

12 @DarrenPMeyer #RealitySTP Control vs. Assurance Perfect is the enemy of Good Do QA not (just) QC

Slide 13

Slide 13 text

13 @DarrenPMeyer #RealitySTP Go to development users’ groups Simplify security requirements Find and mentor security champions automate, automate, automate Process Agility

Slide 14

Slide 14 text

14 @DarrenPMeyer #RealitySTP Speed up Build reduced policies Help, don’t critique automate, automate, automate Thinking small

Slide 15

Slide 15 text

15 @DarrenPMeyer #RealitySTP Reduced/Flexible policy sets Checklists and Cheatsheets Automate, Automate, Automate Elasticity

Slide 16

Slide 16 text

16 @DarrenPMeyer #RealitySTP Trusted, neutral verification Actually test, not just assess Must add value for them too automate, automate, automate Verifying Third Parties

Slide 17

Slide 17 text

17 @DarrenPMeyer #RealitySTP Follow the money Be a better partner automate, automate, automate Improving discovery

Slide 18

Slide 18 text

18 @DarrenPMeyer #RealitySTP Accountability Don’t punish: reinforce People don’t fear change they fear being changed Aligning incentives

Slide 19

Slide 19 text

KEEP TALKING tweet @DarrenPMeyer or mention #RealitySTP