SlideShare a Scribd company logo

A Stratagem on Strategy: Rolling Security Testing into Product Testing

Kevin Fealey
Kevin Fealey

Commercial software products rely on formal test strategies to describe who will perform testing, when testing will occur, the process that will be followed, the depth of testing, and more. Test strategies are extended by test plans that detail specific tests that will be executed and how success will be measured. Test strategies and plans support objectively evaluating that software meets requirements and functions properly. Conversely, security teams think about where security gates should be in the SDLC and deploy SAST, DAST, IAST, manual testing, or a combination. Rarely is it considered what level of coverage these methods provide, and output from security testing is not mapped back to requirements. Compared to other teams involved in the SDLC, security seems to just be winging their test strategies and plans. Especially in a DevOps environment where silos are broken and responsibilities are shared across dev, ops, test, and security, use of common methodologies will help to reduce confusion and improve pipeline throughput. During this talk we will discuss: - What are test strategies and how are they used by product teams to provide consistency in testing (something security generally lacks)? - What are test plans and how are they used by product teams to enable visibly strong test coverage (something security also lacks)? - In a DevOps environment, what is security’s role in existing test strategies? - How can security teams leverage test plans to provide better visibility on test coverage and map findings back to requirements to reduce confusion and demonstrate security value to stakeholders throughout the value stream? - What other lessons can we learn from how dev, ops, and test support quality deliveries that can enable more effective and efficient security (e.g. security as code)?

Technology
1 of 22
Download to read offline
A Stratagem on Strategy Rolling Security Testing into Product Testing October 24, 2019
• 11 years in AppSec • 6th LASCON presentation • <3 BBQ • Writes lots of code • Apps and infrastructure • <3 DevOps • Always looking to learn from other domains • Believes in unicorns • Shocked I like WoW Classic (not 60 yet..) • 15 years relevant experience • 8 years dev • 7 years security • 4 years AppSec consulting • Passionate about DevSecOps and changing the way organizations perform security testing • 1 wife, 3 children (ages 14, 12, 9) • Archeage is better than WoW (fight me) Kevin Fealey Josh Wallace The people up front 24 October 2019Page 2
A Stratagem on Strategy - Overview 1. Comparing Quality and Security Assurance 2. Vulnerabilities vs Requirements 3. Security Test Strategy 4. Practical Example: Requirements, Test cases, Reporting 5. Compatibility with DevOps 6. Next Steps Page 3 Key Takeaways • QA is a valued, mature function in most organizations, is well-understood by developers, and clearly demonstrates test coverage. • Security generally does not provide a measure of test coverage, across security domains (most common), application functions, or lines of code. Thesis: There is an opportunity for security to better integrate into QA processes by adopting their methodologies, which may improve consistency and relationships, while reducing confusion 24 October 2019
• Risk-based approach • Higher risk applications receive more (broader & deeper) security attention • Security governance and general processes for the following activities: • User story reviews • Security architecture assessments • Frequent threat modeling • Manual security code review • Manual penetration test • SAST, DAST, IAST integrated into CI • Supply chain security (third party / FOSS) • Most/all applications treated the same by security • SAST, DAST, IAST integrated into CI • Supply chain security (FOSS) • Manual pen tests as required for compliance Mature programs Less mature programs Security assurance program strategy Page 4 24 October 2019
• Full set of functional and nonfunctional requirements • Formalized test strategy that details: • System architecture • Test scope • Dependencies and constraints • Milestones and activities • Governance model • Roles and responsibilities • Assumptions • Test approach & methodology for unit, integration, system and user acceptance testing • Defect management • Requirement traceability • Tooling • Formalized test plans for each test phase detailing specific tests for a particular application • Test case management platform and processes to standardize and centralize test information • Same as above Mature programs Less mature programs Quality Assurance (QA) program strategy Page 5 Same as above 24 October 2019
Security vs quality assurance summary Page 6 24 October 2019
Stages of testing Page 7 Requirements Gathering Test Planning Test Development Test Execution Test Reporting Requirements feed reporting QA Testing QA and Security Testing Legend: 24 October 2019
Delivering vulnerabilities vs pass/fail requirements Page 8 Finding 104: Clickjacking It was observed that the application does not explicitly prevent or deny “Clickjacking” style attacks. “Clickjacking”, also known as a "UI redress attack", is an attack that aims at “hijacking” mouse clicks from unaware end-users in order to perform a set of malicious actions on the target site. What the hell is Clickjacking?? Test Fail: Requirement 104 X-Frame-Options header shall be set to “deny” on all HTTP responses. It is recommended this be performed by the load balancer. I’m 12 and totally understand what I need to do! • Implemented right the first time and clear guidance when not • Very few false positives• Lack of a Clickjacking finding != clickjacking is not a real risk – it may not have been tested 24 October 2019
Test strategies Page 9 ► Consolidated document (often 100+ pages, without security) that sets expectations with developers and other stakeholders What is a test strategy? How is it used? ► How often will tests occur? What are the triggers? How do developers pass (acceptance criteria)? ► Provides centralized knowledge of the application to be used by testers ► Enables consistency in test approach ► Provides clarity on dependencies, constraints, and roles & responsibilities including escalation path ► Defines the product to be tested, core functionality and interfaces ► Defines the test objectives - does the application need to meet certain requirements or have a “clean scan?” Does your security team contribute to your test strategy? 24 October 2019
• Scope • Approach • Automation strategy • Test schedule • Tooling • Risks and Impacts • Review and approvals Security should collaborate on test strategy sections, such as: Integrating security teams into the test strategy Page 10 A good place to establish security-related taxonomy (let’s all speak the same language) 24 October 2019
“QA is a valued, mature function in most organizations, is well-understood by developers, and clearly demonstrates test coverage.” • Security generally does not provide a measure of test coverage, across security domains (most common), application functions, or lines of code. • Security is confusing to those outside of security. • Thesis: There is an opportunity for security to better integrate into QA processes by adopting their methodologies, which may improve consistency and relationships, while reducing confusion. Page 11 - Kevin 24 October 2019
Let’s get practical Turning theory into action Page 12 24 October 2019
Example application description Page 13 • Imagine that we work for a large financial services organization (or maybe you do) • Our CEO observes that Bitcoin is taking the world by storm and forms a team to develop a strategy to allow users to make transactions with crypto-currencies • Inside of our online banking application, we want to include a new feature that will allow users to exchange US Dollars to Bitcoin within their accounts 24 October 2019
Example app requirements (user stories) Page 14 Feature: Exchange USD for BTC • ID: FCRY-1 • Story: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Acceptance criteria • Conversion webpage and form exist • Conversion endpoint exists • Swagger API YAML file exists • Conversion endpoint is able to convert USD to BTC • Conversion webpage is able to invoke conversion endpoint with user-provided values 24 October 2019
Example app QA test case Description: Exchanging USD to BTC correctly adjusts BTC and USD balances in the user’s account Related requirement and/or test: FCRY-1: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Remarks/Notes: N/A Gherkin Script: • Given the USD to BTC conversion webpage • And a user account containing 0 BTC and $9,000 USD • When the user types “9000” into the USD box and clicks “Convert” • Then the user’s account page should be displayed • AND the user’s account should contain $0 USD and 1 BTC Manual or Automated: Automated Page 15 24 October 2019
Example app security test case (TLS) Description: Utilize TLS connections for all content requiring authenticated access and for transfer of all sensitive information Related requirement and/or test: FCRY-1: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Remarks/Notes: Additional test cases are required to validate other TLS requirements, such as allowed ciphers, disallowed SSL/TLS versions, and use of valid certificates Gherkin Script: •Given the USD to BTC conversion webpage •And a user account containing 0 BTC and $9,000 USD •When the user types “9000” into the USD box and clicks “Convert” •Then the HTTP request should be sent with TLS 1.2 Manual or Automated: Automated Page 16 24 October 2019
Example app security test case (input validation) Description: Validate user input matches defined whitelist criteria Related requirement and/or test: FCRY-1: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Remarks/Notes: POST parameter “USD” allowed values are whole numbers in the range of 0 to 25000 Gherkin Script: •Given the USD to BTC conversion webpage •And a user account containing 0 BTC and $9,000 USD •When the user types <valToTransfer> into the USD box and clicks “Convert” •Then the USD to BTC conversion webpage should be displayed •And “Please transfer a valid quantity of USD” should be displayed in the “errorMsg” field Manual or Automated: Automated Page 17 24 October 2019
Leverage existing QA reporting Page 18 24 October 2019
Is this compatible with DevOps? • Doing this now as part of an Agile transformation, heavily leveraging DevOps • Adds more work for security up front, but increases compliance with security requirements due to transparency, consistency, and delivering more actionable output (i.e. requirements, not vulnerabilities) • Improves collaboration between security and product teams and provides better insight into risks during design and development processes Page 19 24 October 2019
Improved testing workflow implementing security Page 20 Requirements Gathering Test Planning Test Development Test Execution Test Reporting Requirements feed reporting QA Testing QA and Security Testing Legend: 24 October 2019
Next steps • Identify the QA leads within your organization • Find out about their test processes and artifacts (strategies, test cases, reports, dashboards, etc.) • Work with QA to more formally integrate security into existing testing frameworks • Build a repository of reusable, actionable security requirements • Sit in sprint planning and add security requirements to user stories • Write your first security test case Page 21 24 October 2019
EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. For more information about our organization, please visit ey.com. © 2019 EYGM Limited. All Rights Reserved. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com

Recommended

Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayYusuf Hadiwinata Sutandar
 
Applying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysApplying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysMarcel Winandy
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsAmazon Web Services
 
Building secure cloud apps – lessons learned from Microsoft’s internal securi...
Building secure cloud apps – lessons learned from Microsoft’s internal securi...Building secure cloud apps – lessons learned from Microsoft’s internal securi...
Building secure cloud apps – lessons learned from Microsoft’s internal securi...Microsoft Tech Community
 

Recommended

Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayYusuf Hadiwinata Sutandar
 
Applying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysApplying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysMarcel Winandy
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsAmazon Web Services
 
Building secure cloud apps – lessons learned from Microsoft’s internal securi...
Building secure cloud apps – lessons learned from Microsoft’s internal securi...Building secure cloud apps – lessons learned from Microsoft’s internal securi...
Building secure cloud apps – lessons learned from Microsoft’s internal securi...Microsoft Tech Community
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersSynopsys Software Integrity Group
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022lior mazor
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to meMichelle Ribeiro
 
Security at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockSecurity at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockAmazon Web Services
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...centralohioissa
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Black Duck by Synopsys
 
Continuous compliance using data and code
Continuous compliance using data and codeContinuous compliance using data and code
Continuous compliance using data and codeErkang Zheng
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_StrategicRamesh VG
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security NinjaAmazon Web Services
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBlack Duck by Synopsys
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Cloud Native Day Tel Aviv
 
Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Erkang Zheng
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewSynopsys Software Integrity Group
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source WayBlack Duck by Synopsys
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
 
SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...Steffan Stringer
 
Perform a Cloud Readiness Assessment for Your Own Company
Perform a Cloud Readiness Assessment for Your Own CompanyPerform a Cloud Readiness Assessment for Your Own Company
Perform a Cloud Readiness Assessment for Your Own CompanyAmazon Web Services
 

More Related Content

What's hot

[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022lior mazor
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
 
Security at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockSecurity at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockAmazon Web Services
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...centralohioissa
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Black Duck by Synopsys
 
Continuous compliance using data and code
Continuous compliance using data and codeContinuous compliance using data and code
Continuous compliance using data and codeErkang Zheng
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_StrategicRamesh VG
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBlack Duck by Synopsys
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Cloud Native Day Tel Aviv
 
Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Erkang Zheng
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
 

What's hot (20)

Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
 
Security at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockSecurity at the Speed of Software - Twistlock
Security at the Speed of Software - Twistlock
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
 
Continuous compliance using data and code
Continuous compliance using data and codeContinuous compliance using data and code
Continuous compliance using data and code
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_Strategic
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
 
Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
 

Similar to A Stratagem on Strategy: Rolling Security Testing into Product Testing

SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...Steffan Stringer
 
Perform a Cloud Readiness Assessment for Your Own Company
Perform a Cloud Readiness Assessment for Your Own CompanyPerform a Cloud Readiness Assessment for Your Own Company
Perform a Cloud Readiness Assessment for Your Own CompanyAmazon Web Services
 
Making the Move to Behavior-Driven Development
Making the Move to Behavior-Driven DevelopmentMaking the Move to Behavior-Driven Development
Making the Move to Behavior-Driven DevelopmentTechWell
 
90 days to make a difference - approach
90 days to make a difference - approach90 days to make a difference - approach
90 days to make a difference - approachStuart Creasey
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek Banerjee
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek Banerjee
 
Quality at the speed of digital
Quality at the speed of digitalQuality at the speed of digital
Quality at the speed of digitalrajni singh
 
Shravyashree Selenium Automation 3+yrs exp
Shravyashree Selenium Automation 3+yrs expShravyashree Selenium Automation 3+yrs exp
Shravyashree Selenium Automation 3+yrs expShravyashree Achar M
 
Take your code and quality to the next level by Serena Software
Take your code and quality to the next level by Serena SoftwareTake your code and quality to the next level by Serena Software
Take your code and quality to the next level by Serena SoftwareSerena Software
 
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...Blackboard APAC
 
Quality Jam: BDD, TDD and ATDD for the Enterprise
Quality Jam: BDD, TDD and ATDD for the EnterpriseQuality Jam: BDD, TDD and ATDD for the Enterprise
Quality Jam: BDD, TDD and ATDD for the EnterpriseQASymphony
 
#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...
#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...
#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...Agile Testing Alliance
 
20200429 PMI NYC Meetup Agile Governance Ariel Partners for Distribution
20200429 PMI NYC Meetup Agile Governance Ariel Partners for Distribution20200429 PMI NYC Meetup Agile Governance Ariel Partners for Distribution
20200429 PMI NYC Meetup Agile Governance Ariel Partners for DistributionCraeg Strong
 
Regtech in Fintech + QuSandbox Demo
Regtech in Fintech + QuSandbox DemoRegtech in Fintech + QuSandbox Demo
Regtech in Fintech + QuSandbox DemoQuantUniversity
 
Assessing Your Company's Cloud Readiness
Assessing Your Company's Cloud ReadinessAssessing Your Company's Cloud Readiness
Assessing Your Company's Cloud ReadinessAmazon Web Services
 
Credential Transparency Initiative - Orientation for Registry Partners
Credential Transparency Initiative - Orientation for Registry PartnersCredential Transparency Initiative - Orientation for Registry Partners
Credential Transparency Initiative - Orientation for Registry PartnersCredential Engine
 
SQA_Lec#01-1.ppt
SQA_Lec#01-1.pptSQA_Lec#01-1.ppt
SQA_Lec#01-1.pptAhmad Abbas
 
Javed-Resume
Javed-ResumeJaved-Resume
Javed-Resumejaved516
 

Similar to A Stratagem on Strategy: Rolling Security Testing into Product Testing (20)

SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...
 
Perform a Cloud Readiness Assessment for Your Own Company
Perform a Cloud Readiness Assessment for Your Own CompanyPerform a Cloud Readiness Assessment for Your Own Company
Perform a Cloud Readiness Assessment for Your Own Company
 
Making the Move to Behavior-Driven Development
Making the Move to Behavior-Driven DevelopmentMaking the Move to Behavior-Driven Development
Making the Move to Behavior-Driven Development
 
90 days to make a difference - approach
90 days to make a difference - approach90 days to make a difference - approach
90 days to make a difference - approach
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _Testing
 
Abhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _TestingAbhishek_Banerjee_Functional _Testing
Abhishek_Banerjee_Functional _Testing
 
Quality at the speed of digital
Quality at the speed of digitalQuality at the speed of digital
Quality at the speed of digital
 
Shravyashree Selenium Automation 3+yrs exp
Shravyashree Selenium Automation 3+yrs expShravyashree Selenium Automation 3+yrs exp
Shravyashree Selenium Automation 3+yrs exp
 
Take your code and quality to the next level by Serena Software
Take your code and quality to the next level by Serena SoftwareTake your code and quality to the next level by Serena Software
Take your code and quality to the next level by Serena Software
 
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
Blackboard Learn Deployment: A Detailed Update of Managed Hosting and SaaS De...
 
Quality Jam: BDD, TDD and ATDD for the Enterprise
Quality Jam: BDD, TDD and ATDD for the EnterpriseQuality Jam: BDD, TDD and ATDD for the Enterprise
Quality Jam: BDD, TDD and ATDD for the Enterprise
 
#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...
#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...
#ATAGTR2019 Presentation "Top 10 quality engineering best practices to achiev...
 
Quality Control in Development
Quality Control in DevelopmentQuality Control in Development
Quality Control in Development
 
20200429 PMI NYC Meetup Agile Governance Ariel Partners for Distribution
20200429 PMI NYC Meetup Agile Governance Ariel Partners for Distribution20200429 PMI NYC Meetup Agile Governance Ariel Partners for Distribution
20200429 PMI NYC Meetup Agile Governance Ariel Partners for Distribution
 
Regtech in Fintech + QuSandbox Demo
Regtech in Fintech + QuSandbox DemoRegtech in Fintech + QuSandbox Demo
Regtech in Fintech + QuSandbox Demo
 
Assessing Your Company's Cloud Readiness
Assessing Your Company's Cloud ReadinessAssessing Your Company's Cloud Readiness
Assessing Your Company's Cloud Readiness
 
Credential Transparency Initiative - Orientation for Registry Partners
Credential Transparency Initiative - Orientation for Registry PartnersCredential Transparency Initiative - Orientation for Registry Partners
Credential Transparency Initiative - Orientation for Registry Partners
 
QA_3.6 yrs
QA_3.6 yrsQA_3.6 yrs
QA_3.6 yrs
 
SQA_Lec#01-1.ppt
SQA_Lec#01-1.pptSQA_Lec#01-1.ppt
SQA_Lec#01-1.ppt
 
Javed-Resume
Javed-ResumeJaved-Resume
Javed-Resume
 

More from Kevin Fealey

DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
Interact Differently: Get More From Your Tools Through Exposed APIs
Interact Differently: Get More From Your Tools Through Exposed APIsInteract Differently: Get More From Your Tools Through Exposed APIs
Interact Differently: Get More From Your Tools Through Exposed APIsKevin Fealey
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkKevin Fealey
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 

More from Kevin Fealey (7)

DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
Interact Differently: Get More From Your Tools Through Exposed APIs
Interact Differently: Get More From Your Tools Through Exposed APIsInteract Differently: Get More From Your Tools Through Exposed APIs
Interact Differently: Get More From Your Tools Through Exposed APIs
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

A Stratagem on Strategy: Rolling Security Testing into Product Testing

  • 1. A Stratagem on Strategy Rolling Security Testing into Product Testing October 24, 2019
  • 2. • 11 years in AppSec • 6th LASCON presentation • <3 BBQ • Writes lots of code • Apps and infrastructure • <3 DevOps • Always looking to learn from other domains • Believes in unicorns • Shocked I like WoW Classic (not 60 yet..) • 15 years relevant experience • 8 years dev • 7 years security • 4 years AppSec consulting • Passionate about DevSecOps and changing the way organizations perform security testing • 1 wife, 3 children (ages 14, 12, 9) • Archeage is better than WoW (fight me) Kevin Fealey Josh Wallace The people up front 24 October 2019Page 2
  • 3. A Stratagem on Strategy - Overview 1. Comparing Quality and Security Assurance 2. Vulnerabilities vs Requirements 3. Security Test Strategy 4. Practical Example: Requirements, Test cases, Reporting 5. Compatibility with DevOps 6. Next Steps Page 3 Key Takeaways • QA is a valued, mature function in most organizations, is well-understood by developers, and clearly demonstrates test coverage. • Security generally does not provide a measure of test coverage, across security domains (most common), application functions, or lines of code. Thesis: There is an opportunity for security to better integrate into QA processes by adopting their methodologies, which may improve consistency and relationships, while reducing confusion 24 October 2019
  • 4. • Risk-based approach • Higher risk applications receive more (broader & deeper) security attention • Security governance and general processes for the following activities: • User story reviews • Security architecture assessments • Frequent threat modeling • Manual security code review • Manual penetration test • SAST, DAST, IAST integrated into CI • Supply chain security (third party / FOSS) • Most/all applications treated the same by security • SAST, DAST, IAST integrated into CI • Supply chain security (FOSS) • Manual pen tests as required for compliance Mature programs Less mature programs Security assurance program strategy Page 4 24 October 2019
  • 5. • Full set of functional and nonfunctional requirements • Formalized test strategy that details: • System architecture • Test scope • Dependencies and constraints • Milestones and activities • Governance model • Roles and responsibilities • Assumptions • Test approach & methodology for unit, integration, system and user acceptance testing • Defect management • Requirement traceability • Tooling • Formalized test plans for each test phase detailing specific tests for a particular application • Test case management platform and processes to standardize and centralize test information • Same as above Mature programs Less mature programs Quality Assurance (QA) program strategy Page 5 Same as above 24 October 2019
  • 6. Security vs quality assurance summary Page 6 24 October 2019
  • 7. Stages of testing Page 7 Requirements Gathering Test Planning Test Development Test Execution Test Reporting Requirements feed reporting QA Testing QA and Security Testing Legend: 24 October 2019
  • 8. Delivering vulnerabilities vs pass/fail requirements Page 8 Finding 104: Clickjacking It was observed that the application does not explicitly prevent or deny “Clickjacking” style attacks. “Clickjacking”, also known as a "UI redress attack", is an attack that aims at “hijacking” mouse clicks from unaware end-users in order to perform a set of malicious actions on the target site. What the hell is Clickjacking?? Test Fail: Requirement 104 X-Frame-Options header shall be set to “deny” on all HTTP responses. It is recommended this be performed by the load balancer. I’m 12 and totally understand what I need to do! • Implemented right the first time and clear guidance when not • Very few false positives• Lack of a Clickjacking finding != clickjacking is not a real risk – it may not have been tested 24 October 2019
  • 9. Test strategies Page 9 ► Consolidated document (often 100+ pages, without security) that sets expectations with developers and other stakeholders What is a test strategy? How is it used? ► How often will tests occur? What are the triggers? How do developers pass (acceptance criteria)? ► Provides centralized knowledge of the application to be used by testers ► Enables consistency in test approach ► Provides clarity on dependencies, constraints, and roles & responsibilities including escalation path ► Defines the product to be tested, core functionality and interfaces ► Defines the test objectives - does the application need to meet certain requirements or have a “clean scan?” Does your security team contribute to your test strategy? 24 October 2019
  • 10. • Scope • Approach • Automation strategy • Test schedule • Tooling • Risks and Impacts • Review and approvals Security should collaborate on test strategy sections, such as: Integrating security teams into the test strategy Page 10 A good place to establish security-related taxonomy (let’s all speak the same language) 24 October 2019
  • 11. “QA is a valued, mature function in most organizations, is well-understood by developers, and clearly demonstrates test coverage.” • Security generally does not provide a measure of test coverage, across security domains (most common), application functions, or lines of code. • Security is confusing to those outside of security. • Thesis: There is an opportunity for security to better integrate into QA processes by adopting their methodologies, which may improve consistency and relationships, while reducing confusion. Page 11 - Kevin 24 October 2019
  • 12. Let’s get practical Turning theory into action Page 12 24 October 2019
  • 13. Example application description Page 13 • Imagine that we work for a large financial services organization (or maybe you do) • Our CEO observes that Bitcoin is taking the world by storm and forms a team to develop a strategy to allow users to make transactions with crypto-currencies • Inside of our online banking application, we want to include a new feature that will allow users to exchange US Dollars to Bitcoin within their accounts 24 October 2019
  • 14. Example app requirements (user stories) Page 14 Feature: Exchange USD for BTC • ID: FCRY-1 • Story: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Acceptance criteria • Conversion webpage and form exist • Conversion endpoint exists • Swagger API YAML file exists • Conversion endpoint is able to convert USD to BTC • Conversion webpage is able to invoke conversion endpoint with user-provided values 24 October 2019
  • 15. Example app QA test case Description: Exchanging USD to BTC correctly adjusts BTC and USD balances in the user’s account Related requirement and/or test: FCRY-1: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Remarks/Notes: N/A Gherkin Script: • Given the USD to BTC conversion webpage • And a user account containing 0 BTC and $9,000 USD • When the user types “9000” into the USD box and clicks “Convert” • Then the user’s account page should be displayed • AND the user’s account should contain $0 USD and 1 BTC Manual or Automated: Automated Page 15 24 October 2019
  • 16. Example app security test case (TLS) Description: Utilize TLS connections for all content requiring authenticated access and for transfer of all sensitive information Related requirement and/or test: FCRY-1: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Remarks/Notes: Additional test cases are required to validate other TLS requirements, such as allowed ciphers, disallowed SSL/TLS versions, and use of valid certificates Gherkin Script: •Given the USD to BTC conversion webpage •And a user account containing 0 BTC and $9,000 USD •When the user types “9000” into the USD box and clicks “Convert” •Then the HTTP request should be sent with TLS 1.2 Manual or Automated: Automated Page 16 24 October 2019
  • 17. Example app security test case (input validation) Description: Validate user input matches defined whitelist criteria Related requirement and/or test: FCRY-1: As a user, I want to exchange US Dollars (USD) in my account to Bitcoin (BTC) Remarks/Notes: POST parameter “USD” allowed values are whole numbers in the range of 0 to 25000 Gherkin Script: •Given the USD to BTC conversion webpage •And a user account containing 0 BTC and $9,000 USD •When the user types <valToTransfer> into the USD box and clicks “Convert” •Then the USD to BTC conversion webpage should be displayed •And “Please transfer a valid quantity of USD” should be displayed in the “errorMsg” field Manual or Automated: Automated Page 17 24 October 2019
  • 18. Leverage existing QA reporting Page 18 24 October 2019
  • 19. Is this compatible with DevOps? • Doing this now as part of an Agile transformation, heavily leveraging DevOps • Adds more work for security up front, but increases compliance with security requirements due to transparency, consistency, and delivering more actionable output (i.e. requirements, not vulnerabilities) • Improves collaboration between security and product teams and provides better insight into risks during design and development processes Page 19 24 October 2019
  • 20. Improved testing workflow implementing security Page 20 Requirements Gathering Test Planning Test Development Test Execution Test Reporting Requirements feed reporting QA Testing QA and Security Testing Legend: 24 October 2019
  • 21. Next steps • Identify the QA leads within your organization • Find out about their test processes and artifacts (strategies, test cases, reports, dashboards, etc.) • Work with QA to more formally integrate security into existing testing frameworks • Build a repository of reusable, actionable security requirements • Sit in sprint planning and add security requirements to user stories • Write your first security test case Page 21 24 October 2019
  • 22. EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. For more information about our organization, please visit ey.com. © 2019 EYGM Limited. All Rights Reserved. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com