tag:blogger.com,1999:blog-5028009537158799436.post4575540885422155467..comments2023-07-10T04:50:03.236-07:00Comments on Building Real Software: Appsec’s Agile ProblemJim Birdhttp://www.blogger.com/profile/17371102366836131341noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-5028009537158799436.post-75127968420978369362013-12-09T09:28:03.712-08:002013-12-09T09:28:03.712-08:00Stephen
Cool, I didn't know about your BDD sec...Stephen<br />Cool, I didn't know about your BDD security testing framework. This is a definitely a step in the right direction!Jim Birdhttps://www.blogger.com/profile/17371102366836131341noreply@blogger.comtag:blogger.com,1999:blog-5028009537158799436.post-15424616994569702792013-12-08T00:27:34.780-08:002013-12-08T00:27:34.780-08:00I think application security should be integrated ...I think application security should be integrated into software dev the same way that UI and performance are integrated: most developers are their own UI and performance experts. Sure there are external specialists in these areas, but the majority of the work is done by the developers themselves. This should be true for security too.<br /><br />Thanks for linking to my paper on integrating security into unit/integration testing.<br />Since publishing that, I've built a <a href="http://www.continuumsecurity.net/bdd-intro.html" rel="nofollow">BDD security testing framework</a> designed for that purpose, based on JBehave and TestNG so developers can use tools familiar to them.<br /><br />Stephen de Vrieshttps://www.blogger.com/profile/09586014869632925100noreply@blogger.comtag:blogger.com,1999:blog-5028009537158799436.post-28243811202888935762013-12-05T10:48:22.110-08:002013-12-05T10:48:22.110-08:00"Most Agile development teams suck at buildin..."Most Agile development teams suck at building secure software."<br /><br />I'm pretty sure you could have written that sentence and left out the word "Agile".Joehttps://www.blogger.com/profile/16849072656100416768noreply@blogger.comtag:blogger.com,1999:blog-5028009537158799436.post-88229866774593836022013-12-05T10:21:36.258-08:002013-12-05T10:21:36.258-08:00"Appsec has to change its role from assurance..."Appsec has to change its role from assurance/auditing and compliance to proactively enabling self-service secure development"<br /><br />Love that quote.<br /><br />My advice: continuous mitigation by staffing using poisson to incidents, OR, _start_ with appsec goals in mind so that it is never even associated with the backlogdrehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.com