SlideShare ist ein Scribd-Unternehmen logo

A Stratagem on Strategy: Rolling Security Testing into Product Testing

Kevin Fealey
Kevin Fealey

Commercial software products rely on formal test strategies to describe who will perform testing, when testing will occur, the process that will be followed, the depth of testing, and more. Test strategies are extended by test plans that detail specific tests that will be executed and how success will be measured. Test strategies and plans support objectively evaluating that software meets requirements and functions properly. Conversely, security teams think about where security gates should be in the SDLC and deploy SAST, DAST, IAST, manual testing, or a combination. Rarely is it considered what level of coverage these methods provide, and output from security testing is not mapped back to requirements. Compared to other teams involved in the SDLC, security seems to just be winging their test strategies and plans. Especially in a DevOps environment where silos are broken and responsibilities are shared across dev, ops, test, and security, use of common methodologies will help to reduce confusion and improve pipeline throughput. During this talk we will discuss: - What are test strategies and how are they used by product teams to provide consistency in testing (something security generally lacks)? - What are test plans and how are they used by product teams to enable visibly strong test coverage (something security also lacks)? - In a DevOps environment, what is security’s role in existing test strategies? - How can security teams leverage test plans to provide better visibility on test coverage and map findings back to requirements to reduce confusion and demonstrate security value to stakeholders throughout the value stream? - What other lessons can we learn from how dev, ops, and test support quality deliveries that can enable more effective and efficient security (e.g. security as code)?

Technologie
1 von 22
Downloaden Sie, um offline zu lesen
A Stratagem on Strategy Rolling Security Testing into Product Testing October 24, 2019
• 11 years in AppSec • 6th LASCON presentation • <3 BBQ • Writes lots of code • Apps and infrastructure • <3 DevOps • Always looking to learn from other domains • Believes in unicorns • Shocked I like WoW Classic (not 60 yet..) • 15 years relevant experience • 8 years dev • 7 years security • 4 years AppSec consulting • Passionate about DevSecOps and changing the way organizations perform security testing • 1 wife, 3 children (ages 14, 12, 9) • Archeage is better than WoW (fight me) Kevin Fealey Josh Wallace The people up front 24 October 2019Page 2
A Stratagem on Strategy - Overview 1. Comparing Quality and Security Assurance 2. Vulnerabilities vs Requirements 3. Security Test Strategy 4. Practical Example: Requirements, Test cases, Reporting 5. Compatibility with DevOps 6. Next Steps Page 3 Key Takeaways • QA is a valued, mature function in most organizations, is well-understood by developers, and clearly demonstrates test coverage. • Security generally does not provide a measure of test coverage, across security domains (most common), application functions, or lines of code. Thesis: There is an opportunity for security to better integrate into QA processes by adopting their methodologies, which may improve consistency and relationships, while reducing confusion 24 October 2019
• Risk-based approach • Higher risk applications receive more (broader & deeper) security attention • Security governance and general processes for the following activities: • User story reviews • Security architecture assessments • Frequent threat modeling • Manual security code review • Manual penetration test • SAST, DAST, IAST integrated into CI • Supply chain security (third party / FOSS) • Most/all applications treated the same by security • SAST, DAST, IAST integrated into CI • Supply chain security (FOSS) • Manual pen tests as required for compliance Mature programs Less mature programs Security assurance program strategy Page 4 24 October 2019
• Full set of functional and nonfunctional requirements • Formalized test strategy that details: • System architecture • Test scope • Dependencies and constraints • Milestones and activities • Governance model • Roles and responsibilities • Assumptions • Test approach & methodology for unit, integration, system and user acceptance testing • Defect management • Requirement traceability • Tooling • Formalized test plans for each test phase detailing specific tests for a particular application • Test case management platform and processes to standardize and centralize test information • Same as above Mature programs Less mature programs Quality Assurance (QA) program strategy Page 5 Same as above 24 October 2019
Security vs quality assurance summary Page 6 24 October 2019
Stages of testing Page 7 Requirements Gathering Test Planning Test Development Test Execution Test Reporting Requirements feed reporting QA Testing QA and Security Testing Legend: 24 October 2019
Delivering vulnerabilities vs pass/fail requirements Page 8 Finding 104: Clickjacking It was observed that the application does not explicitly prevent or deny “Clickjacking” style attacks. “Clickjacking”, also known as a "UI redress attack", is an attack that aims at “hijacking” mouse clicks from unaware end-users in order to perform a set of malicious actions on the target site. What the hell is Clickjacking?? Test Fail: Requirement 104 X-Frame-Options header shall be set to “deny” on all HTTP responses. It is recommended this be performed by the load balancer. I’m 12 and totally understand what I need to do! • Implemented right the first time and clear guidance when not • Very few false positives• Lack of a Clickjacking finding != clickjacking is not a real risk – it may not have been tested 24 October 2019
Test strategies Page 9 ► Consolidated document (often 100+ pages, without security) that sets expectations with developers and other stakeholders What is a test strategy? How is it used? ► How often will tests occur? What are the triggers? How do developers pass (acceptance criteria)? ► Provides centralized knowledge of the application to be used by testers ► Enables consistency in test approach ► Provides clarity on dependencies, constraints, and roles & responsibilities including escalation path ► Defines the product to be tested, core functionality and interfaces ► Defines the test objectives - does the application need to meet certain requirements or have a “clean scan?” Does your security team contribute to your test strategy? 24 October 2019
• Scope • Approach • Automation strategy • Test schedule • Tooling • Risks and Impacts • Review and approvals Security should collaborate on test strategy sections, such as: Integrating security teams into the test strategy Page 10 A good place to establish security-related taxonomy (let’s all speak the same language) 24 October 2019
“QA is a valued, mature function in most organizations, is well-understood by developers, and clearly demonstrates test coverage.” • Security generally does not provide a measure of test coverage, across security domains (most common), application functions, or lines of code. • Security is confusing to those outside of security. • Thesis: There is an opportunity for security to better integrate into QA processes by adopting their methodologies, which may improve consistency and relationships, while reducing confusion. Page 11 - Kevin 24 October 2019
Let’s get practical Turning theory into action Page 12 24 October 2019
Example application description Page 13 • Imagine that we work for a large financial services organization (or maybe you do) • Our CEO observes that Bitcoin is taking the world by storm and forms a team to develop a strategy to allow users to make transactions with crypto-currencies • Inside of our online banking application, we want to include a new feature that will allow users to exchange US Dollars to Bitcoin within their accounts 24 October 2019
Example app requirements (user stories) Page 14 Feature: Exchange USD for BTC • ID: FCRY-1 • Story: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Acceptance criteria • Conversion webpage and form exist • Conversion endpoint exists • Swagger API YAML file exists • Conversion endpoint is able to convert USD to BTC • Conversion webpage is able to invoke conversion endpoint with user-provided values 24 October 2019
Example app QA test case Description: Exchanging USD to BTC correctly adjusts BTC and USD balances in the user’s account Related requirement and/or test: FCRY-1: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Remarks/Notes: N/A Gherkin Script: • Given the USD to BTC conversion webpage • And a user account containing 0 BTC and $9,000 USD • When the user types “9000” into the USD box and clicks “Convert” • Then the user’s account page should be displayed • AND the user’s account should contain $0 USD and 1 BTC Manual or Automated: Automated Page 15 24 October 2019
Example app security test case (TLS) Description: Utilize TLS connections for all content requiring authenticated access and for transfer of all sensitive information Related requirement and/or test: FCRY-1: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Remarks/Notes: Additional test cases are required to validate other TLS requirements, such as allowed ciphers, disallowed SSL/TLS versions, and use of valid certificates Gherkin Script: •Given the USD to BTC conversion webpage •And a user account containing 0 BTC and $9,000 USD •When the user types “9000” into the USD box and clicks “Convert” •Then the HTTP request should be sent with TLS 1.2 Manual or Automated: Automated Page 16 24 October 2019
Example app security test case (input validation) Description: Validate user input matches defined whitelist criteria Related requirement and/or test: FCRY-1: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Remarks/Notes: POST parameter “USD” allowed values are whole numbers in the range of 0 to 25000 Gherkin Script: •Given the USD to BTC conversion webpage •And a user account containing 0 BTC and $9,000 USD •When the user types <valToTransfer> into the USD box and clicks “Convert” •Then the USD to BTC conversion webpage should be displayed •And “Please transfer a valid quantity of USD” should be displayed in the “errorMsg” field Manual or Automated: Automated Page 17 24 October 2019
Leverage existing QA reporting Page 18 24 October 2019
Is this compatible with DevOps? • Doing this now as part of an Agile transformation, heavily leveraging DevOps • Adds more work for security up front, but increases compliance with security requirements due to transparency, consistency, and delivering more actionable output (i.e. requirements, not vulnerabilities) • Improves collaboration between security and product teams and provides better insight into risks during design and development processes Page 19 24 October 2019
Improved testing workflow implementing security Page 20 Requirements Gathering Test Planning Test Development Test Execution Test Reporting Requirements feed reporting QA Testing QA and Security Testing Legend: 24 October 2019
Next steps • Identify the QA leads within your organization • Find out about their test processes and artifacts (strategies, test cases, reports, dashboards, etc.) • Work with QA to more formally integrate security into existing testing frameworks • Build a repository of reusable, actionable security requirements • Sit in sprint planning and add security requirements to user stories • Write your first security test case Page 21 24 October 2019
EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. For more information about our organization, please visit ey.com. © 2019 EYGM Limited. All Rights Reserved. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com

Empfohlen

Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayYusuf Hadiwinata Sutandar
 
Applying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysApplying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysMarcel Winandy
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsAmazon Web Services
 
Building secure cloud apps – lessons learned from Microsoft’s internal securi...
Building secure cloud apps – lessons learned from Microsoft’s internal securi...Building secure cloud apps – lessons learned from Microsoft’s internal securi...
Building secure cloud apps – lessons learned from Microsoft’s internal securi...Microsoft Tech Community
 

Empfohlen

Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayYusuf Hadiwinata Sutandar
 
Applying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysApplying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysMarcel Winandy
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsAmazon Web Services
 
Building secure cloud apps – lessons learned from Microsoft’s internal securi...
Building secure cloud apps – lessons learned from Microsoft’s internal securi...Building secure cloud apps – lessons learned from Microsoft’s internal securi...
Building secure cloud apps – lessons learned from Microsoft’s internal securi...Microsoft Tech Community
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersSynopsys Software Integrity Group
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022lior mazor
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to meMichelle Ribeiro
 
Security at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockSecurity at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockAmazon Web Services
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...centralohioissa
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Black Duck by Synopsys
 
Continuous compliance using data and code
Continuous compliance using data and codeContinuous compliance using data and code
Continuous compliance using data and codeErkang Zheng
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_StrategicRamesh VG
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security NinjaAmazon Web Services
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBlack Duck by Synopsys
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Cloud Native Day Tel Aviv
 
Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Erkang Zheng
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewSynopsys Software Integrity Group
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source WayBlack Duck by Synopsys
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
 
SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...Steffan Stringer
 
Perform a Cloud Readiness Assessment for Your Own Company
Perform a Cloud Readiness Assessment for Your Own CompanyPerform a Cloud Readiness Assessment for Your Own Company
Perform a Cloud Readiness Assessment for Your Own CompanyAmazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022lior mazor
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
 
Security at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockSecurity at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockAmazon Web Services
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...centralohioissa
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Black Duck by Synopsys
 
Continuous compliance using data and code
Continuous compliance using data and codeContinuous compliance using data and code
Continuous compliance using data and codeErkang Zheng
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_StrategicRamesh VG
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBlack Duck by Synopsys
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Cloud Native Day Tel Aviv
 
Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Erkang Zheng
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
 

Was ist angesagt? (20)

Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
 
Security at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockSecurity at the Speed of Software - Twistlock
Security at the Speed of Software - Twistlock
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
 
Continuous compliance using data and code
Continuous compliance using data and codeContinuous compliance using data and code
Continuous compliance using data and code
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_Strategic
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
 
Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
 

Ähnlich wie A Stratagem on Strategy: Rolling Security Testing into Product Testing

SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...Steffan Stringer
 
Perform a Cloud Readiness Assessment for Your Own Company
Perform a Cloud Readiness Assessment for Your Own CompanyPerform a Cloud Readiness Assessment for Your Own Company
Perform a Cloud Readiness Assessment for Your Own CompanyAmazon Web Services
 
Making the Move to Behavior-Driven Development
Making the Move to Behavior-Driven DevelopmentMaking the Move to Behavior-Driven Development
Making the Move to Behavior-Driven DevelopmentTechWell
 
90 days to make a difference - approach
90 days to make a difference - approach90 days to make a difference - approach
90 days to make a difference - approachStuart Creasey
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek Banerjee
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek Banerjee
 
Quality at the speed of digital
Quality at the speed of digitalQuality at the speed of digital
Quality at the speed of digitalrajni singh
 
Shravyashree Selenium Automation 3+yrs exp
Shravyashree Selenium Automation 3+yrs expShravyashree Selenium Automation 3+yrs exp
Shravyashree Selenium Automation 3+yrs expShravyashree Achar M
 
Take your code and quality to the next level by Serena Software
Take your code and quality to the next level by Serena SoftwareTake your code and quality to the next level by Serena Software
Take your code and quality to the next level by Serena SoftwareSerena Software
 
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...Blackboard APAC
 
Quality Jam: BDD, TDD and ATDD for the Enterprise
Quality Jam: BDD, TDD and ATDD for the EnterpriseQuality Jam: BDD, TDD and ATDD for the Enterprise
Quality Jam: BDD, TDD and ATDD for the EnterpriseQASymphony
 
#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...
#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...
#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...Agile Testing Alliance
 
20200429 PMI NYC Meetup Agile Governance Ariel Partners for Distribution
20200429 PMI NYC Meetup Agile Governance Ariel Partners for Distribution20200429 PMI NYC Meetup Agile Governance Ariel Partners for Distribution
20200429 PMI NYC Meetup Agile Governance Ariel Partners for DistributionCraeg Strong
 
Regtech in Fintech + QuSandbox Demo
Regtech in Fintech + QuSandbox DemoRegtech in Fintech + QuSandbox Demo
Regtech in Fintech + QuSandbox DemoQuantUniversity
 
Assessing Your Company's Cloud Readiness
Assessing Your Company's Cloud ReadinessAssessing Your Company's Cloud Readiness
Assessing Your Company's Cloud ReadinessAmazon Web Services
 
Credential Transparency Initiative - Orientation for Registry Partners
Credential Transparency Initiative - Orientation for Registry PartnersCredential Transparency Initiative - Orientation for Registry Partners
Credential Transparency Initiative - Orientation for Registry PartnersCredential Engine
 
SQA_Lec#01-1.ppt
SQA_Lec#01-1.pptSQA_Lec#01-1.ppt
SQA_Lec#01-1.pptAhmad Abbas
 
Javed-Resume
Javed-ResumeJaved-Resume
Javed-Resumejaved516
 

Ähnlich wie A Stratagem on Strategy: Rolling Security Testing into Product Testing (20)

SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...
 
Perform a Cloud Readiness Assessment for Your Own Company
Perform a Cloud Readiness Assessment for Your Own CompanyPerform a Cloud Readiness Assessment for Your Own Company
Perform a Cloud Readiness Assessment for Your Own Company
 
Making the Move to Behavior-Driven Development
Making the Move to Behavior-Driven DevelopmentMaking the Move to Behavior-Driven Development
Making the Move to Behavior-Driven Development
 
90 days to make a difference - approach
90 days to make a difference - approach90 days to make a difference - approach
90 days to make a difference - approach
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _Testing
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _Testing
 
Quality at the speed of digital
Quality at the speed of digitalQuality at the speed of digital
Quality at the speed of digital
 
Shravyashree Selenium Automation 3+yrs exp
Shravyashree Selenium Automation 3+yrs expShravyashree Selenium Automation 3+yrs exp
Shravyashree Selenium Automation 3+yrs exp
 
Take your code and quality to the next level by Serena Software
Take your code and quality to the next level by Serena SoftwareTake your code and quality to the next level by Serena Software
Take your code and quality to the next level by Serena Software
 
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
 
Quality Jam: BDD, TDD and ATDD for the Enterprise
Quality Jam: BDD, TDD and ATDD for the EnterpriseQuality Jam: BDD, TDD and ATDD for the Enterprise
Quality Jam: BDD, TDD and ATDD for the Enterprise
 
#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...
#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...
#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...
 
Quality Control in Development
Quality Control in DevelopmentQuality Control in Development
Quality Control in Development
 
20200429 PMI NYC Meetup Agile Governance Ariel Partners for Distribution
20200429 PMI NYC Meetup Agile Governance Ariel Partners for Distribution20200429 PMI NYC Meetup Agile Governance Ariel Partners for Distribution
20200429 PMI NYC Meetup Agile Governance Ariel Partners for Distribution
 
Regtech in Fintech + QuSandbox Demo
Regtech in Fintech + QuSandbox DemoRegtech in Fintech + QuSandbox Demo
Regtech in Fintech + QuSandbox Demo
 
Assessing Your Company's Cloud Readiness
Assessing Your Company's Cloud ReadinessAssessing Your Company's Cloud Readiness
Assessing Your Company's Cloud Readiness
 
Credential Transparency Initiative - Orientation for Registry Partners
Credential Transparency Initiative - Orientation for Registry PartnersCredential Transparency Initiative - Orientation for Registry Partners
Credential Transparency Initiative - Orientation for Registry Partners
 
QA_3.6 yrs
QA_3.6 yrsQA_3.6 yrs
QA_3.6 yrs
 
SQA_Lec#01-1.ppt
SQA_Lec#01-1.pptSQA_Lec#01-1.ppt
SQA_Lec#01-1.ppt
 
Javed-Resume
Javed-ResumeJaved-Resume
Javed-Resume
 

Mehr von Kevin Fealey

DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
Interact Differently: Get More From Your Tools Through Exposed APIs
Interact Differently: Get More From Your Tools Through Exposed APIsInteract Differently: Get More From Your Tools Through Exposed APIs
Interact Differently: Get More From Your Tools Through Exposed APIsKevin Fealey
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkKevin Fealey
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 

Mehr von Kevin Fealey (7)

DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
Interact Differently: Get More From Your Tools Through Exposed APIs
Interact Differently: Get More From Your Tools Through Exposed APIsInteract Differently: Get More From Your Tools Through Exposed APIs
Interact Differently: Get More From Your Tools Through Exposed APIs
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 

Kürzlich hochgeladen

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

A Stratagem on Strategy: Rolling Security Testing into Product Testing

  • 1. A Stratagem on Strategy Rolling Security Testing into Product Testing October 24, 2019
  • 2. • 11 years in AppSec • 6th LASCON presentation • <3 BBQ • Writes lots of code • Apps and infrastructure • <3 DevOps • Always looking to learn from other domains • Believes in unicorns • Shocked I like WoW Classic (not 60 yet..) • 15 years relevant experience • 8 years dev • 7 years security • 4 years AppSec consulting • Passionate about DevSecOps and changing the way organizations perform security testing • 1 wife, 3 children (ages 14, 12, 9) • Archeage is better than WoW (fight me) Kevin Fealey Josh Wallace The people up front 24 October 2019Page 2
  • 3. A Stratagem on Strategy - Overview 1. Comparing Quality and Security Assurance 2. Vulnerabilities vs Requirements 3. Security Test Strategy 4. Practical Example: Requirements, Test cases, Reporting 5. Compatibility with DevOps 6. Next Steps Page 3 Key Takeaways • QA is a valued, mature function in most organizations, is well-understood by developers, and clearly demonstrates test coverage. • Security generally does not provide a measure of test coverage, across security domains (most common), application functions, or lines of code. Thesis: There is an opportunity for security to better integrate into QA processes by adopting their methodologies, which may improve consistency and relationships, while reducing confusion 24 October 2019
  • 4. • Risk-based approach • Higher risk applications receive more (broader & deeper) security attention • Security governance and general processes for the following activities: • User story reviews • Security architecture assessments • Frequent threat modeling • Manual security code review • Manual penetration test • SAST, DAST, IAST integrated into CI • Supply chain security (third party / FOSS) • Most/all applications treated the same by security • SAST, DAST, IAST integrated into CI • Supply chain security (FOSS) • Manual pen tests as required for compliance Mature programs Less mature programs Security assurance program strategy Page 4 24 October 2019
  • 5. • Full set of functional and nonfunctional requirements • Formalized test strategy that details: • System architecture • Test scope • Dependencies and constraints • Milestones and activities • Governance model • Roles and responsibilities • Assumptions • Test approach & methodology for unit, integration, system and user acceptance testing • Defect management • Requirement traceability • Tooling • Formalized test plans for each test phase detailing specific tests for a particular application • Test case management platform and processes to standardize and centralize test information • Same as above Mature programs Less mature programs Quality Assurance (QA) program strategy Page 5 Same as above 24 October 2019
  • 6. Security vs quality assurance summary Page 6 24 October 2019
  • 7. Stages of testing Page 7 Requirements Gathering Test Planning Test Development Test Execution Test Reporting Requirements feed reporting QA Testing QA and Security Testing Legend: 24 October 2019
  • 8. Delivering vulnerabilities vs pass/fail requirements Page 8 Finding 104: Clickjacking It was observed that the application does not explicitly prevent or deny “Clickjacking” style attacks. “Clickjacking”, also known as a "UI redress attack", is an attack that aims at “hijacking” mouse clicks from unaware end-users in order to perform a set of malicious actions on the target site. What the hell is Clickjacking?? Test Fail: Requirement 104 X-Frame-Options header shall be set to “deny” on all HTTP responses. It is recommended this be performed by the load balancer. I’m 12 and totally understand what I need to do! • Implemented right the first time and clear guidance when not • Very few false positives• Lack of a Clickjacking finding != clickjacking is not a real risk – it may not have been tested 24 October 2019
  • 9. Test strategies Page 9 ► Consolidated document (often 100+ pages, without security) that sets expectations with developers and other stakeholders What is a test strategy? How is it used? ► How often will tests occur? What are the triggers? How do developers pass (acceptance criteria)? ► Provides centralized knowledge of the application to be used by testers ► Enables consistency in test approach ► Provides clarity on dependencies, constraints, and roles & responsibilities including escalation path ► Defines the product to be tested, core functionality and interfaces ► Defines the test objectives - does the application need to meet certain requirements or have a “clean scan?” Does your security team contribute to your test strategy? 24 October 2019
  • 10. • Scope • Approach • Automation strategy • Test schedule • Tooling • Risks and Impacts • Review and approvals Security should collaborate on test strategy sections, such as: Integrating security teams into the test strategy Page 10 A good place to establish security-related taxonomy (let’s all speak the same language) 24 October 2019
  • 11. “QA is a valued, mature function in most organizations, is well-understood by developers, and clearly demonstrates test coverage.” • Security generally does not provide a measure of test coverage, across security domains (most common), application functions, or lines of code. • Security is confusing to those outside of security. • Thesis: There is an opportunity for security to better integrate into QA processes by adopting their methodologies, which may improve consistency and relationships, while reducing confusion. Page 11 - Kevin 24 October 2019
  • 12. Let’s get practical Turning theory into action Page 12 24 October 2019
  • 13. Example application description Page 13 • Imagine that we work for a large financial services organization (or maybe you do) • Our CEO observes that Bitcoin is taking the world by storm and forms a team to develop a strategy to allow users to make transactions with crypto-currencies • Inside of our online banking application, we want to include a new feature that will allow users to exchange US Dollars to Bitcoin within their accounts 24 October 2019
  • 14. Example app requirements (user stories) Page 14 Feature: Exchange USD for BTC • ID: FCRY-1 • Story: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Acceptance criteria • Conversion webpage and form exist • Conversion endpoint exists • Swagger API YAML file exists • Conversion endpoint is able to convert USD to BTC • Conversion webpage is able to invoke conversion endpoint with user-provided values 24 October 2019
  • 15. Example app QA test case Description: Exchanging USD to BTC correctly adjusts BTC and USD balances in the user’s account Related requirement and/or test: FCRY-1: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Remarks/Notes: N/A Gherkin Script: • Given the USD to BTC conversion webpage • And a user account containing 0 BTC and $9,000 USD • When the user types “9000” into the USD box and clicks “Convert” • Then the user’s account page should be displayed • AND the user’s account should contain $0 USD and 1 BTC Manual or Automated: Automated Page 15 24 October 2019
  • 16. Example app security test case (TLS) Description: Utilize TLS connections for all content requiring authenticated access and for transfer of all sensitive information Related requirement and/or test: FCRY-1: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Remarks/Notes: Additional test cases are required to validate other TLS requirements, such as allowed ciphers, disallowed SSL/TLS versions, and use of valid certificates Gherkin Script: •Given the USD to BTC conversion webpage •And a user account containing 0 BTC and $9,000 USD •When the user types “9000” into the USD box and clicks “Convert” •Then the HTTP request should be sent with TLS 1.2 Manual or Automated: Automated Page 16 24 October 2019
  • 17. Example app security test case (input validation) Description: Validate user input matches defined whitelist criteria Related requirement and/or test: FCRY-1: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Remarks/Notes: POST parameter “USD” allowed values are whole numbers in the range of 0 to 25000 Gherkin Script: •Given the USD to BTC conversion webpage •And a user account containing 0 BTC and $9,000 USD •When the user types <valToTransfer> into the USD box and clicks “Convert” •Then the USD to BTC conversion webpage should be displayed •And “Please transfer a valid quantity of USD” should be displayed in the “errorMsg” field Manual or Automated: Automated Page 17 24 October 2019
  • 18. Leverage existing QA reporting Page 18 24 October 2019
  • 19. Is this compatible with DevOps? • Doing this now as part of an Agile transformation, heavily leveraging DevOps • Adds more work for security up front, but increases compliance with security requirements due to transparency, consistency, and delivering more actionable output (i.e. requirements, not vulnerabilities) • Improves collaboration between security and product teams and provides better insight into risks during design and development processes Page 19 24 October 2019
  • 20. Improved testing workflow implementing security Page 20 Requirements Gathering Test Planning Test Development Test Execution Test Reporting Requirements feed reporting QA Testing QA and Security Testing Legend: 24 October 2019
  • 21. Next steps • Identify the QA leads within your organization • Find out about their test processes and artifacts (strategies, test cases, reports, dashboards, etc.) • Work with QA to more formally integrate security into existing testing frameworks • Build a repository of reusable, actionable security requirements • Sit in sprint planning and add security requirements to user stories • Write your first security test case Page 21 24 October 2019
  • 22. EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. For more information about our organization, please visit ey.com. © 2019 EYGM Limited. All Rights Reserved. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com