Overcoming the Quality vs Quantity Problem in Software Security Testing presented at OWASP AppSecAsiaPac 2012

by Rafal Los,

Tags: Security

Summary : "The current state of software security poses a very serious problem when it comes to technology. Does the organization strive for more quality, or quantity in uncovering critical software security defects? Unfortunately as a result of the constraints of many security organizations' budgets and available resources these critical components are often mutually exclusive. Organizations shouldn't have to sacrifice quality for quantity, or vice versa their software security programs. While obtaining good quantity of coverage (both inside a single application from a static and dynamic perspective and across the enterprise application landscape) is critical to understanding the total threat profile of an organization, the organization simply can't forego the quality aspect because a poor test can not only provide a false statement of compliance but create the illusion of security. So what can organizations constrained by resources, capital and knowledge do to balance quantity against quality in their software security programs? How can people, process, and technologies be leveraged to effectively balance the quantity vs. quality scale? The speaker will address this very critical balance from a vendor-neutral, technology-agnostic perspective, giving developers, quality analysts and security testers the perspective necessary to provide optimal balance."