Successful Strategies for QA-Based Security Testing Rafal Los, Hewlett-Packard
About the Topic
Involving the QA organization in a software security assurance program is critical, yet it’s incredibly difficult to find a magic formula that is both effective, and not overly taxing on the QA organization. The key issue is that fundamentally - while security and QA are both testing functions - they couldn’t be any more different.
QA tests applications for known features and functions, while security is tasked with testing the unintended features that developers program into their code. Testing for ‘unknowns’ is incredibly difficult, but what if security testing was split up in ways that were both defined and undefined? The defined components could be tested, while the undefined could be left to the ethical hackers to test.
About the Speaker
Rafal Los is the Web Application Security Evangelist for the HP Software & Solutions business at Hewlett-Packard. Rafal is responsible for bridging gaps between security technologies and business needs. He also focuses on demonstrating business value from risk reduction through measurable gains in enterprise web application security solutions on behalf of the HP Application Security Center group. He has spent over 10 years in various facets of information security and data protection, building programs at companies ranging from startups to Fortune 50 enterprises. Rafal is a frequent speaker at security conferences and quality events. He contributes regularly to organizations such as the Open Web Application Security Project (OWASP) and others promoting education, openness and standards.