The alliance of a security engineer and a tester

25-minute Talk

Security engineers and testers should cooperate for delivering better quality software faster and more reliably (if security is a requirement of the customer at least in basic level).

Virtual Pass session

Timetable

10:45 a.m. – 11:30 a.m. Tuesday 14th

Room

Room F3 - Track 3: Talks

Audience

tester, manager, software engineer, product owner interested in increasing security KPIs of the team

Key-Learnings

  • Security engineers and testers have similar mindset which is great
  • Cooperation between security and quality professionals is beneficial for both
  • There are tools and standards that can help to cooperate
  • It is great if each quality and testing professional would know what OWASP Top Ten is

How security engineer and a tester can cooperate for the better software?

There are awesome similarities between the security engineering and quality engineers. Joining forces can be beneficial in many ways - it helps to build more reliable, better quality software and to move faster in the next iterations. Cooperating on (S)SDLC should help to shift left both testing and security practices (threat modelling, risk analysis). Awesome similarities of a seasoned security engineer and software tester:

- "break it" (to build it better) mindset

- eye to details, carefulness

- hunting bugs (or vulnerabilities)

There are of course also differences like:

- domain focus point: security versus product and process quality

- depth of diving into security knowledge and time to focus on that

How they can cooperate? There are many ways, one of the most welcome are in my opinion OWASP Testing Guide, OWASP Top Ten for web and mobile and OWASP Cheatsheets, aswell SAST and DAST class security scanners. For SAST I would mention SonarQube example with security controls and quality gates in there. As the former Quality Assurance Engineer and tester and current security engineer I'm very enthusiastic about the cooperation and advantages of that in day-to-day software product development. Also basic security testing capabilities are great career development opportunity for testers to be even more valued part of software development teams.

I would like to evangelise a bit about such cooperation, as we can really help each other. In my talk I tend to focus in agile development practice rather than other like waterfall ones.

Related Sessions

Wed, Nov 15 • 10:45 a.m. – 12:30 p.m.
Room D5+D6 - Track 6: Accessibility Deep Dive

Combo-Session: 30-minute Talk & 75-minute Workshop

Virtual Pass session
Tue, Nov 14 • 2:45 p.m. – 3:30 p.m.
Room F3 - Track 3: Talks

25-minute Talk

Mon, Nov 13 • 8:30 a.m. – 4:30 p.m.
F-,E- & D-Rooms

Full-Day Tutorial (6 hours)

Virtual Pass session
Wed, Nov 15 • 10:45 a.m. – 11:30 a.m.
Room F3 - Track 3: Talks

25-minute Talk