The OWASP – VA Local Chapter infosec meetup event last week featured a showing of the “The New Face of CyberCrime” documentary and a presentation titled “Integrating Security into the QA Group.” The video featured many prominent security luminaries and was very informative for the general audience that Fortify was marketing it to.It focused on the recent barrage of personal data losses from large companies (e.g., think TJX and others). One interesting note was that a featured company ended up having a data breach soon after Fortify released the documentary. During the movie a company executive continually stated how important privacy of customer data was to them. Of course, up to that point they did have a clean record. After the video, the group discussed various themes, likes, and dislikes.
Next, Robert Rachwald presented his talk “Integrating Security into QA.” Trying to get QA to do security is very similar to the more recent trend to integrating security into the development lifecycle by teaching developers how to design and code securely. Pushing security into QA has many of the same challenges so we can use what we learned to better succeed. The ultimate conclusion was that we need to incorporate security tests into the existing QA infrastructure/tools versus getting QA personnel to use security tools. Additionally, QA must start earlier in the development process to focus on root causes (i.e., scanning code) versus later effects (i.e., pen tests). Of course this is where the Fortify software fits in being geared for QAers and scanning code early in the development process.
See our original post for more information about the talks. Overall, this infosec meetup was another great success for the organizers of the OWASP – VA Local Chapter. Thanks to them for organizing it, Booz Allen for the facilities, and Fortify for dinner.