Security evolution into Engineering Productivity

I just started reading the 'How Google Tests Software' book and Patrick Coperland Forward really hit me.

He basically describes how Testing inside Google went from being a separate discipline (Testing vs Coding) to a integral part of the development process and eventually evolved into what is now called 'Engineering Productivity'

And that is exactly what application security needs to do. We need to stop being a TAX and start delivering Engineering Productivity (which ironically is already happening today, since, when you find a good success stories on Application Security, you usually find a good Engineering Productivity story).

You can read it Patrick's Forward online at Safari and just replace Testing with Security.

Just like security is today, testing (at Google) was a separate discipline. With separate skill sets, objectives and focus.

A couple key issue were:

• the lack of development skills that Testers had, 
• how good developers (in the testing team) would be absorbed by development teams 
• how the existing testers were ok with the status quo
• how non-integrated the whole process was

To see how much Google has evolved,  read this job application for a Google 'Engineering Productivity Manager' and look at how much development skills they ask for.

Today we have the exact same issues in security. Most Security teams don't have strong development backgrounds and even when they do they have very little experience in actually writing real world applications (vs mini-tools and scripts).

Also today, a very large number of successful security teams are happy with being a 'badometer' and delivering PDF after PDF to their clients (vs delivering Tests and Automation of their knowledge/findings)

In a way that is why the O2 Platform doesn't have more traction. There are not enough players that have the type of problem that the O2 Platform was designed to solve (for example look at the latests http://googletesting.blogspot.co.uk entries and that is exactly the type of stuff that I do with O2 (I guess to get the Googlers interested I also need to make O2 run in Javascript and Python :) )

More and more I think that Application Security needs to align itself with Testing, since (as the 'How Google Tests Software' book shows) they are much more mature in figuring out how bake their practice into the development lifecycle.

What is interesting is that Application Security does have it very special place in this ecosystem, since usually everybody else cares that  'THE Application Works' , while the security camp is probably the only one that cares about 'HOW the Application works'


So the challenge is how do transform our current Security Practices into an Engineering Productivity world


Related Posts:

• Secure coding (and Application Security) must be invisible to developers
• No more PDFs with Security Findings