Introducing Security Testing to Developers: Experiences and Lessons Learned

By Achim D. Brucker.

It is commonly accepted that security testing should be applied as early as possible in the software development life-cycle. This requires selecting application security testing tools that are easy to use for developers and, thus, developers should participate in the selection and roll-out of such tools. In this talk, I will provide and overview what one can expect from (commercial) application security testing tools and report on my experience on introduction them in a large development organisation (over 25000 developers) that uses a wide range of development methodologies ranging from smaller teams with multiple shipments per day to large organisations following a traditional model with quarterly or yearly releases.

Please cite this work as follows:
A. D. Brucker, “Introducing security testing to developers: Experiences and lessons learned,” presented at the Checkmarx security conference, Tokyo, Japan, Dec. 01, 2017. Author copy: https://logicalhacking.com/publications/talk-brucker.ea-cx-security-testing-2017/

BibTeX
@Unpublished{ talk:brucker.ea:cx-security-testing:2017,
  date       = {2017-12-01},
  title      = {Introducing Security Testing to Developers: Experiences and
                Lessons Learned},
  author     = {Achim D. Brucker},
  venue      = {Tokyo, Japan},
  eventtitle = {Checkmarx Security Conference},
  abstract   = {It is commonly accepted that security testing should be
                applied as early as possible in the software development
                life-cycle. This requires selecting application security
                testing tools that are easy to use for developers and, thus,
                developers should participate in the selection and roll-out of
                such tools. In this talk, I will provide and overview what one
                can expect from (commercial) application security testing
                tools and report on my experience on introduction them in a
                large development organisation (over 25000 developers) that
                uses a wide range of development methodologies ranging from
                smaller teams with multiple shipments per day to large
                organisations following a traditional model with quarterly or
                yearly releases.},
  areas      = {security, software},
  note       = {Author copy: \url{https://logicalhacking.com/publications/talk-brucker.ea-cx-security-testing-2017/}},
  pdf        = {https://logicalhacking.com/publications/talk-brucker.ea-cx-security-testing-2017/talk-brucker.ea-cx-security-testing-2017.pdf},
}