An End to Testing Ourselves Secure?
Why I’m Here
Ground Rules
This is a presentation discussion
Let other people speak!
15 minute time-boxed discussions, revisit parked
issues at the end
Framing the Problem
Requir
emen
ts / A
rchite
cture
Coding
Integ
ration
/ Com
pone
nt Tes
ting
System
/ Acc
eptan
ce T
estin
g
Produc
tion /
Pos
t-Rele
ase
1x6x
11x16x21x26x31x36x
Rel
ativ
e co
st to
fix,
bas
ed o
n tim
e of
det
ectio
n
Source: NIST
Highest ROI
Where we find flaws today
Look familiar?
February 2012 Report from Quocirca
Results of an Open SAMM Assessment
Discussion Question 1:Is there a problem with
relying primarily on verification?
Isn’t static analysis a “good enough” solution?
Discussion Question 2:Can we effectively scale
training, threat modeling?
Discussion Question 3:Can we effectively scale security requirements?
Resources
Learning from other process changes
Cultural Challenges to Secure SDLC
• “Incompetent developer” challenge• “Security is special” challenge• Domain-specific vs. domain-agnostic• Fitting a square peg into a round hole
Conclusions?
[email protected]: @rksethi
Top Related