Security Testing: Myths, Challenges, and Opportunities

By Achim D. Brucker.

Security testing is an important part of any security development lifecycle (SDL) and, thus, should be a part of any software (development) lifecycle. Still, security testing is often understood as an activity done by security testers in the time between ``end of development” and ``offering the product to customers.”

On the one hand, learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, security testing should be integrated into the daily development activities. On the other hand, developing software for the cloud and offering software in the cloud raises the need for security testing in a ``close-to-production” or even production environment. Consequently, we need an end-to-end integration of security testing into the software lifecycle.

In this talk, we will report on our experiences on integrating security testing ``end-to-end” into SAP’s software development lifecycle in general and, in particular, SAP’s Secure Software Development Lifecycle (S2DL). Moreover, we will discuss different myths, challenges, and opportunities in the are security testing.

Please cite this work as follows:
A. D. Brucker, “Security testing: Myths, challenges, and opportunities,” presented at the Keynote: 6th international workshop on security testing (SECTEST), Graz, Austria, Apr. 13, 2015. Invited Keynote.. Author copy: https://logicalhacking.com/publications/talk-brucker-sectest-2015/

BibTeX
@Unpublished{ talk:brucker:sectest:2015,
  date              = {2015-04-13},
  title             = {Security Testing: Myths, Challenges, and Opportunities},
  author            = {Achim D. Brucker},
  venue             = {Graz, Austria},
  eventtitle        = {Keynote: 6th international Workshop on Security Testing
                       (SECTEST)},
  abstract          = {Security testing is an important part of any security
                       development lifecycle (SDL) and, thus, should be a part of any
                       software (development) lifecycle. Still, security testing is
                       often understood as an activity done by security testers in
                       the time between ``end of development'' and ``offering the
                       product to customers.''
                       
                       On the one hand, learning from traditional testing that the
                       fixing of bugs is the more costly the later it is done in
                       development, security testing should be integrated into the
                       daily development activities. On the other hand, developing
                       software for the cloud and offering software in the cloud
                       raises the need for security testing in a
                       ``close-to-production'' or even production environment.
                       Consequently, we need an end-to-end integration of security
                       testing into the software lifecycle.
                       
                       In this talk, we will report on our experiences on integrating
                       security testing ``end-to-end'' into SAP's software
                       development lifecycle in general and, in particular, SAP's
                       Secure Software Development Lifecycle
                       (S\textsuperscript{2}DL). Moreover, we will discuss different
                       myths, challenges, and opportunities in the are security
                       testing.},
  slideshare        = {key/oeasYMZ6rCqEVp},
  rlideshare_width  = {425},
  slideshare_height = {355},
  note              = {Invited Keynote.. 
                       Author copy: \url{https://logicalhacking.com/publications/talk-brucker-sectest-2015/}},
  areas             = {software, security},
  pdf               = {https://logicalhacking.com/publications/talk-brucker-sectest-2015/talk-brucker-sectest-2015.pdf},
}