Posted on by Achim D. Brucker, licensed under CC BY-ND 4.0.

Security Testing at SAP SE

Everybody developing software should, in fact, accept the challenge to develop secure software. This is not an easy challenge: it requires an end-to-end security development life-cycle (SDLC) that nicely integrates with your software development processes.

Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle. Still, security testing is often understood by an activity done by security testers in the time between “end of development” and “offering the product to customers”. Fixing bugs that late in the development process is not only expensive, it also conflicts with agile development in general and the DevOps model in particular.

SAP’s Security Testing Strategy enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. When you want to integrate security testing into your (agile) software development, the most people emphasize how important a security awareness program for both developers and mangers is. While security awareness is important, our experience is that developer awareness is even more important! Listen to your developers and help them. Recall, building secure systems is much more difficult than finding a successful attack.

Do not expect your developers to become security experts (or penetration testers) – expect them to become security aware and help them with development friendly tools that spot security vulnerabilities early during development and that are nicely integrated into the tools and workflows used by the developers. And, finally, make the process of fixing issues as easy and painless as possible. The effort for fixing an issue should not be the main reason for not fixing something. If you want to learn more about SAP’s Security Testing Strategy, you can watch my presentation at the OWASP AppSec 2014 on youtube (slides are also available).

Supplementary Material

Welcome to the blog of the Software Assurance & Security Research Team at the University of Exeter. We blog regularly news, tips & tricks, as well as fun facts about software assurance, reliability, security, testing, verification, hacking, and logic.

You can also follow us on Twitter: @logicalhacking.




academia ai android apidesign appsec bitcoin blockchain bpmn browser browserextensions browsersecurity bug certification chrome composition cordova dast devops devsecops dom dsbd efsm epsrc event extensions fixeffort floss formaldocument formalmethods funding hol-ocl hol-testgen humanfactor hybridapps iast industry internetofthings iot isabelle/hol isabelledof isadof latex logic maintance malicous mbst mobile mobile apps modelinference modeling monads monitoring msc ocl ontology opensource owasp patches pet phd phdlife phishing policy protocols publishing reliability research safelinks safety sap sast sdlc secdevops secureprogramming security securityengineering securitytesting semantics servicecomposition skills smartcontract smartthings softwareeinginering softwaresecurity softwaresupplychain solidity staff&positions statemachine studentproject tcb test&proof testing tips&tricks tools transport tuos uk uoe upgrade usability verification vulnerabilities vulnerableapplication webinar websecurity


blog whole site