Micro Focus Fortify is proud to be the exclusive sponsor of the TestGuild Security podcast hosted by Joe Colantonio. This weekly podcast, dropping every Thursday, aims to be a 30 minutes or less, interview-style series speaking with some of the top Security Testing experts in the field.
The latest episode of the TestGuild Security Testing Podcast features Kevin Greene. Kevin Greene is a thought leader in the area of software security assurance. He currently serves on the advisory board for the New Jersey Institute of Technology (NJIT) Cybersecurity Research Center and Bowie State University's Computer Science department.
While I highly suggest you carve out 30 minutes to give this podcast a listen, until then, here are 3 key takeaways I found intriguing during the interview!
1. Implementing a Security Strategy
“I think it is really important to develop the right mindset as it relates to Security in software development. What I mean by that is the goal is really trying to get the entire team to think about ways in which the software can be attacked, whether it's through doing formal threat modeling, through misuse and abuse cases, and really trying to get people to think about the design decisions that they make upfront. What Security requirements need to be part of the acquisition strategy or part of a solution? Really try to codify those aspects of Security all the way left into acquisitions and requirements so that when you do develop or procure a system, you can test for these requirements that you have built into whatever acquisition strategy you have to reduce your risk and reduce the attack surface that is known to be associated with software development.”
“I think the key aspect is where you try to get everyone on the entire team talking. That means the product owners, the product managers, developers, engineers, you want everyone to think about Security. That way it ensures that everyone is taking a shared responsibility regarding Security.”
“The technology stuff to me is secondary. I think initially developing that level of culture, that level of mentality, that mindset is so important because you can't build Security in if you're not thinking about it from the onset.”
2. Best Practices for Developers
“I think it's very important that developers are aware of security or design principles so that when they are coding, they are aware and understand the consequences of their coding and that they are building or implementing the design correctly in code.
Also, to have developer training and really understanding what I call defensive Security programing and understand ways in which attackers are trying to attack a particular application or system and really understand secure coding principles.”
3. Automation Advice
“A lot of companies struggle to get to a point where they have enough good data to train the algorithms and get some confidence in the fact that they find something you can rely on. The other part is I think we have to be very careful in Automation because we can automate badness as well. So, a lot of times, we have not been good at doing the basic Security hygiene things in practice and if we were to automate that, then we're automating a lot of badness. I think the goal of Automation is really trying to automate the things that we know are proven. Things we've had success with and in some regards are low hanging fruit. Things that become mundane tasks and we can just automate it so we can really try to focus on other things that have some level of complexity.”
Hear the full AppSec interview, where Kevin Greene discussing many other topics like SWAMP, STAMP and many other security insights and perspectives.
About Micro Focus Fortify
Fortify offers an end-to-end application security solution that secures and protects code throughout the entire development lifecycle of any type of software—from development to testing, release to production and every iteration in between. Fortify static, dynamic, interactive, and runtime security testing technologies are available on premise or on demand, offering organizations the flexibility needed to build an end-to-end software security assurance program.