Monday, 4 July 2011

Developers Vs QA Vs Security testers

When developing software there are now 3 groups of teckies involved:
  • Developers
  • Functional testers (QA)
  • Security testers
For a while I've been trying to convince developers that they really need to have a basic understanding of security testing - you just cant develop a secure application unless you know how its going to be attacked.
However when I was preparing for my OWASP talk for AppSec EU in Dublin, I started thinking about this a bit more.

And now I think that can be expanded:

Developers, QA and security testers all need to have a pretty good understanding of what the other 2 groups do.

So I'm saying you cant really be a good developer unless you know about QA (functional testing) AND about security testing.
You dont have to be an 'expert' in both areas, but you need to have a good grounding in each.
The former is actually quite common - most developers (at least in my experience) work pretty closely with QA and so should have picked up a fairly good idea of what they and how they do it. The latter, well, some do and some dont.

But the converse is also true - I dont think you can be a good security tester without knowing about both development and QA,
And you can be a good functional tester without knowing about both development and security testing.

Anyone feel like arguing against that? :)

Which group are you in, and how good is your understanding of the other 2 disciplines?

Saturday, 11 June 2011

OWASP AppSec EU 2011 review

OK, OK, I've failed miserably to keep this blog even vaguely upto date.
But I've just got back from OWASP AppSec EU 2011, so a quick review is a good way to kick it off again.

I'm relatively new to the security 'scene' so it was the first major OWASP event I've been to, and I didnt really know what to expect.

What I found was a great bunch of people - friendly, helpful and supportive. I had a great time.

The location, venue and organization was excellent - obviously Dublin's a great city, and Trinity college was an ideal venue.
And congrats to the organizers - they did a really good job.

As there were 3 talks going on at any one time there were quite a few I wanted to go to but couldn't - I'll definitely watch them on video when they get posted.

Of the ones I did get to my favorites were:

How to become Twitter's admin: An introduction to Modern Web Service Attacks 

That introduced me to a whole new range of web service specific attacks I didnt know about.
I think some people in the audience got a bit hung up on the fact that there were countermeasures to the examples given. But there are countermeasures to things like SQLi and XSS and they still happen all too frequently!

Integrating security testing into a SDLC

A very polished performance from the IBM speaker, but it was engaging and full of real world experience.

Python Basics for Web App Pentesters

I'm an old school perl hacker, and I've been meaning to delve into some of the newer scripting languages for ages.
And Justin's convinced me to go for Python first.

Putting the Smart into Smartphones

Packed room for this one, and for a very good reason.
Lots of really useful examples, advice and guidance.

And finally...

Obviously I cant really give an objective opinion about my own talk "An Introduction to the OWASP Zed Attack Proxy".
From my point of view there were things that could have gone better: my throat was killing me, and I had problems with the wireless mic (not used one before).
But the talk was well attended and seemed to go down well.
And it was a great place to showcase ZAP 1.3.0 (which I'll post about soon)!
Any feedback gratefully received (especially if its constructive;).
I'll post a link to the slides and video from here when they're uploaded.
Unless I really cant stand the video ;)


Sunday, 30 January 2011

OWASP Appsec Tutorial Series Episode 1

Jerry Hoff has just started a series of videos introducing people to OWASP and the world of application security.

Episode 1 is available here:

I think its a great start, and strongly recommend that everyone checks it out.