The alliance of a security engineer and a tester

How security engineer and a tester can cooperate for the better software?

Security engineers and testers should cooperate for delivering better quality software faster and more reliably (if security is a requirement of the customer at least in basic level).

There are awesome similarities between the security engineering and quality engineers. Joining forces can be beneficial in many ways - it helps to build more reliable, better quality software and to move faster in the next iterations. Cooperating on (S)SDLC should help to shift left both testing and security practices (threat modelling, risk analysis). Awesome similarities of a seasoned security engineer and software tester:

- "break it" (to build it better) mindset

- eye to details, carefulness

- hunting bugs (or vulnerabilities)

There are of course also differences like:

- domain focus point: security versus product and process quality

- depth of diving into security knowledge and time to focus on that

How they can cooperate? There are many ways, one of the most welcome are in my opinion OWASP Testing Guide, OWASP Top Ten for web and mobile and OWASP Cheatsheets, aswell SAST and DAST class security scanners. For SAST I would mention SonarQube example with security controls and quality gates in there. As the former Quality Assurance Engineer and tester and current security engineer I'm very enthusiastic about the cooperation and advantages of that in day-to-day software product development. Also basic security testing capabilities are great career development opportunity for testers to be even more valued part of software development teams.

I would like to evangelise a bit about such cooperation, as we can really help each other. In my talk I tend to focus in agile development practice rather than other like waterfall ones.