TestGuild Security Testing Exclusive Sponsor
Fortify is the recognized market leader in application security and is the most comprehensive and scalable application security solution that works with your current development tools and processes. Try it today
About this Episode
Welcome to the new Test Guild Security Testing podcast episode 0. For those that don't know, I'm Joe Colantonio, founder of Test Guild, which is a blog, podcast, and online conference dedicated to helping software engineers succeed with end-to-end full-stack testing.
I'm also the host of the TestGuild Automation podcast, formerly known as TestTalks, which I've been running since 2014. Also, the Test Guild Performance podcasts, which I started a few months back.
So a few people have asked me why I broke up the TestTalks into separate podcasts into these different niches.
I thought it would be easier for folks to get the episodes they wanted if I broke them into three distinct categories. So I now have the Test Guild Automation podcasts, The TestGuild performance podcasts, and Site Reliability. And now the Test Guild Security Testing Podcast.
So what can you expect from this podcast? I plan on releasing a new episode on security insecurity Testing every Thursday and based on feedback from my other podcast. Most people tend to like 30 minutes. Some I plan on making most episodes 30 minutes or less, and the format will mainly be me doing an interview-style, speaking with some of the top Security Testing experts in the field.
For example, I currently have interviews lined up with Kevin E. Greene, who is a cybersecurity expert and researcher, all about the software assurance marketplace. Also, I have an interview set up with Jeff Martin from White Source on their latest survey about the state of software security and also Franziska Buehler all about OWASP. And have a bunch more lined up.
I'll be honest with you and tell you that I'm also new to Security Testing myself. So many of these episodes are to be really geared towards beginners. So if you're new to security as well, it would be like we're taking an audio learning journey together. So this is great because I'm going to avoid the curse of knowledge because I'm starting fresh. But over time, as I gain experience, of course, I will probably have more and more technical sessions with experts on as well. It all depends on what you want.
I plan for this to be a listener led podcast. So, you know, if you want more expert type interviews, let me know, and I'll line those up of the specific topics speakers you want to know about. Not a problem. So anything to make the show better or you need to do is feel free to drop me a line anytime at Joe @ TestGuild with any idea you might have to make this podcast more helpful to YOU.
Because that's all that matters is you and value though you may be getting or not getting. If you're not getting value, let me know. I want to make this a valuable resource for you.
Also, as I mentioned earlier, I run online conferences, so I have one for automation testing called Automation Guild, one for performance testing called PerfGuild one for testing\QA called Testing Guild and one for security called Secure Guild.
So this podcast will help me know which subjects and topics and speakers are resonating with people, which ones are being downloaded more, and based on that, I can create better sessions around security topics that you need to know to help you with your day to day job.
So might be asking why then another part caste dedicated to security or security. Testing? Well, one thing I think I'm coming from this with a beginner's mind. So really I'm new to the field. So you get to see how I grow over time as I learn more and more about security. So I think that's one different than what is probably already out there. Also, you know, I feel very passionately that security is going to be the next hot topic as I mention I have an Automation podcast that I host that I've been running for over almost six years now. I've interviewed over 280 folks, but the past year or so, more and more people are bringing up the topic of security, and I hear more and more about DevSecOps. So I think this can be a growing trend.
And if you're a tester, I think it's a skill that you need to know more about or if you're a software engineer as part of our definition of done is can be another activity, you're going to have to know as you're creating software and trying to release it faster and quicker into production.
Also, according to an article, I recently read, and the leaders are S.D. times. Security is at an all-time low point this year as 2013 saw the second, third, and seventh biggest breaches of all time, measured by a number of people that were affected. And I've heard more, more that it's becoming more common, especially with open source. So I feel that we're getting to a breaking point here where if you're not dealing with security, I think 2020, you're going to be dealing with security for sure.
Also recently, Disney+ was released. And according to a Washington Post article, thousands of Disney plus accounts were hacked. Basically, they were hacked by hackers, commandeering user accounts, locking out owners, and changing login credentials.
I was speaking to someone last week, and they were one of the folks that signed up for Disney+. And during Thanksgiving, they had to lock down their credit cards because someone got a hold it. And they believed the reason why they got hold of it is directly to this Disney+ hack.
So because of this and some other things, I want to help raise awareness for the need for more security. testing and this podcast is my small contribution to this effort.
I also worked for a large enterprise company for many years. And although security was always on our team's definition of done, no one knew what it meant or know what to do about it.
Also, we had a separate security team like a highly secretive security team somewhere in the company that supposedly handled everything. But we didn't know what they did. We never interacted with them. And so this caused issues. Because I feel that just like you can't test quality into developed code, I don't believe you could test security into code that wasn't built for security, to begin with?
So you can't test what isn't testable? I don't think you can build security into code that is not secure from the start. And as more companies shift left in the software development lifecycle, I believe we need to start baking security into our code way before we get into any testing scenario.
And in fact, this recently came up. I hosted an online event last week for a company called Vivit.
Vivit is a user group for folks that use Micro Focus tools, but most of the topics were generic enough to apply to anything. And so we had a lot of experts on speaking with us, a lot of experts from large companies that do consulting.
What came up over and over again was security and security testing which I was kind of surprised by, because usually, you know, this type of conference focuses more on functional tests automation.
So I want to share a quick clip from a live Q&A I did from Vivit ADM Virtual Days from a live keynote speaking with Rick Sullivan, who is the VP and GM. of application services at DXC Technology. And Stephen Dimitrov, who is a director of Application Solutions at Merito.
So, two experts, they deal with a lot of customers, a lot of enterprise scenarios. They have some great insight. And I just want to share this because it kind of validated why I'm releasing a new podcast dedicated only to security, and security testing.
Rick brought up the point that there is a talent war going on within companies trying to find people who have the right skills. So my question was, what are some skills that are in demand right now that he sees, which led to his following response.
From a talent perspective, there is a significant talent that's out there. I think all companies certainly are customers. All companies are struggling with that. There's a heavy focus on security. And today's security isn't what it had been from decades ago.
Security, I believe today is heavily about the applications layer. And it is very much so akin to Testing; It has to do with understanding vulnerabilities that can be introduced as we're trying to deliver on faster and faster cycles of software with quality. So a heavy focus around application security data security and security across that lifecycle with Agile methods and Agile experiences, I think, are two areas that we heavily focus on. And then through very hands-on practical work experiences.
Stephen mentioned that if you look at his organization, there a relatively small organization that focuses on testing. I would say about 60 percent of our business is on the traditional testing of applications, and the remaining 40 percent is on security Testing for those applications. If you looked at those numbers just one or two years ago, it would have been more skewed towards an 80 20 type percentage. So we see a lot of that. We still see a lot of siloed perspective on security Testing versus application Testing.
So we're trying to help our customers understand the benefits of bringing that all together and integrating that throughout their SDLC with something like DevSecops, which Rick was talking about in detail in his keynote.
It's something that all of our customers need. Everybody knows about it. It's a much more popular dialog these days than traditional application testing.
Rick and Stephen said it better than I could.
That's why I just wanted to give you a little flavor for what other experts are seeing out in the field and want to share with you and provide more reasons why I feel there's a need for more security information, more security testing education. Hopefully, this podcast will be a small part of that.
And lastly, from being upfront, I was laid off from a full-time corporate gig a few months ago, so now I have all the time to do all kinds of cool things like this new podcast. And that's the last reason why I thought I'd start a new podcast all-around security testing.
Rate and Review TestGuild Security Testing Podcast
Thanks again for listening to the show. If it has helped you in any way, shape or form, please share it using the social media buttons you see on the page. Additionally, reviews for the podcast on iTunes are extremely helpful and greatly appreciated! They do matter in the rankings of the show and I read each and every one of them.