The recording of the webinar on the benefits of applying security testing as early as possible in software development are now available online.
Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any secure software development life-cycle. Still, security testing is often understood by an activity done by security testers in the time between “end of development” and “offering the product to customers”.
Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, we believe that security testing should be integrated into the daily development activities.
Based on the SDLC of a large software vendor, we will present the benefits of early security testing and discuss what is necessary to achieve a “security testing as development activity” approach.
The webinar was hosted by Checkmarx.
After eight years of innovating and driving security at SAP SE and helping the SAP development organization to become great in software security (guys at SAP, you are doing a great job!), it is time for new challenges: I am making a “double move”, first, from industry to academia and, second, from Germany to the UK.
Today, I am starting a “new life” as Associate Professor (Senior Lecturer) at The University of Sheffield, heading the Software Assurance & Security Research Team. While I am looking forward to having more time for basic research, e.g., working on theoretical and formal topics, I do not want to lose ties to industry. Thus, also applied research and industrial applications are an important part of my research agenda.
The particular strength of my team is the deep understanding of theory and practice and, thus, being able to bridge the gap between theory and practice as well as between industry and academia. We will work on all kinds of aspects of developing secure, reliable, and resilient software (and hardware) systems.
Let’s stay in touch, and I am looking forward to collaborations opportunities with all of you – regardless if you are working in industry or academia and regardless if we already worked together or not!
]]>Everybody developing software should, in fact, accept the challenge to develop secure software. This is not an easy challenge: it requires an end-to-end security development life-cycle (SDLC) that nicely integrates with your software development processes.
Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle. Still, security testing is often understood by an activity done by security testers in the time between “end of development” and “offering the product to customers”. Fixing bugs that late in the development process is not only expensive, it also conflicts with agile development in general and the DevOps model in particular.
SAP’s Security Testing Strategy enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. When you want to integrate security testing into your (agile) software development, the most people emphasize how important a security awareness program for both developers and mangers is. While security awareness is important, our experience is that developer awareness is even more important! Listen to your developers and help them. Recall, building secure systems is much more difficult than finding a successful attack.
Do not expect your developers to become security experts (or penetration testers) – expect them to become security aware and help them with development friendly tools that spot security vulnerabilities early during development and that are nicely integrated into the tools and workflows used by the developers. And, finally, make the process of fixing issues as easy and painless as possible. The effort for fixing an issue should not be the main reason for not fixing something. If you want to learn more about SAP’s Security Testing Strategy, you can watch my presentation at the OWASP AppSec 2014 on youtube (slides are also available).