Security is not an act, is a habit - mature quality practices and business

Michał Kucharski

Main message

Security of our products is something that we must have. In challenging time to market situations we are forgetting about that crucial thing, and only have a glimpse of security. Our software are delivered without balanced software security program. But if we want, we can introduce security model to our business model. We can define and measure all security-related activities within project and/or organization.

Content

Every development structure wants their security scoring to be highest. Like in building, as in software or hardware. Security of our products is something that we must have. In challenging time to market situations we are forgetting about that crucial thing, and only have a glimpse of security. Our software are delivered without balanced software security program. But if we want, we can introduce security model to our business model. We can define and measure all security-related activities within project and/or organization. Main question is also what we want from a tester, penetration tester or the main security and quality monitoring program? how we want to introduce corrections and improvements to software development life cycle?

How initial understanding and ad hoc provisioning can limit incomming attacker. After first success we can always increase efficiency and effectiveness of our trained security and penetration testers group, and in final product to the comprehensive mastery at scale. But also this may not limit red team, and probably won’t.

Software with proper governance, construction, verification and deployment still can be explioted but much more harder and with less possibilities. Is the security of our product really so crucial for us ? or we can put the product live and this about it later? What business thinks about assurance program? Let us explore.

Target group

Experienced testers, business analysts, product owners, project managers

5 Take-homes for attendants
  1. Security Assessment Maturity Model is no separate phase of software development life cycle. This is a process that should be very well welded to product roadmap
  2. Organization should know and be aware of risks that are live
  3. Business start with the core activities and tie them to software development. From each of business function 3 security practices should be defined
  4. Security process covers all areas relevant to software security assurance.
  5. Penetration tester and security specialist are must have.
Speaker

Michał Kucharski

Fan of technological solutions that makes life easier. From own proof- of-concept hardware, to designed IoT, IIoT devices or ConnectedCar solution. Maker, Leather crafter and carpenter with love and passion. With testing and security connected from childhood – Everything can be reversed and everything can be automated. From 11 years in testing area from large scale, multi layered test automation deployment to penetration testing and security consultancy.