AppSec Europe 2016 has ended
Back To Schedule
Thursday, June 30 • 10:20 - 11:05
Tell me stories about your appsec, let's skip the pentest

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Capturing and describing S-SDLC problems is also possible based on interviewing managers and workers (instead of measuring the symptoms with dynamic and static methods). The participants of the development processes themselves most of the times are aware of the problems or they can tell stories from which a competent interviewer then can interpret the presence of appsec problems. We assume that this inteview-based method becomes more adequate and efficient when the requirements and principles of taking care about security are already present in the SDLC (since as we know the maturity is a relative characteristic and improving security can be a long process). 

The root causes of application security are mostly of organizational nature, not technical. For capturing and describing organizational problems there is a mature methodology -- qualitative interviewing. And there is a more specific variant of it, the narrative interviewing, meaning you make interviewees tell stories about their professional practice and the real life practices they follow and also about other rules of the development process in place. While burning substantially less efforts than a pentester a prepared interviewer can take a trustworthy picture of the state of the application security in a software manufacturing unit. Based on the interpretation of the professional stories told and other details of the oral account, that is based on the interview analysis an appsec consultant can competently advise his client how to improve with the S-SDLC. 

Interviewing may bring up the gaps between the security related goals and the actual practice, and may suggest what nuances of the organizational, workplace processes cause the inability to fulfill the existing S-SDLC targets, or the failures to act according to the methodological prescriptions. Or it may bring up the mismatch between the trainings and the areas of actual dissatisfaction with the security quality. Interviewing may also shed light on the difficulties of complying with advanced security policies within the frame of the time pressure created by business targets (which is a widespread problem however hard to communicate in the ethical hacker’s hat or in any other technological consultant role). These kind of findings you can expect from the interview-based audit are different from the pentest findings obviously, but it is also evident that the roots of the pentest findings may well be traced to the banal organizational failures and certain conflicting goals. 

It's nothing new about information gathering by interviewing persons at the client's organization. Regarding the application security the main idea of the speech is that the problems in the appsec field have similar nature to those observed by the organizational developers who aim to improve the workings of the organization units and whole institutions. Thus an application security consultant can reuse the instrumentation created for the organizational developers. 

The organizational appsec audit may not suffer from the usual problems of the VAPT audits where the findings are gibberish for the decision makers and are communicated via several redirections and filters and where there is a usual gap between the testers who does not speak the language of developers and the developers who are supposed to change their patterns based on the reports. In the organizational development (especially if based on competent interviews) the “auditors” speak the language of the management, and the findings are likely to be understood by the business. 

It is quite natural to step further from the organizational appsec audit to the appsec consultancy phase to improve the S-SDLC itself and certain organizational aspects having impact on the security quality, as well as to improve the rules of the decision-making surrounding software development.

avatar for Timur Khrotko

Timur Khrotko

appsec co-producer, org researcher, secmachine.net
Timur spent the recent 14 years running a small IAM-focused ISV and an application security consulting firm. He holds a PhD in Business management. His research topics are stereotypes of thinking in general and behavioral patterns of executive managers in particular. More details... Read More →

Thursday June 30, 2016 10:20 - 11:05 CEST
Room D (Tiziano Ballrom Sec. 3)