All about TestSecOps
The benefits of integrating security into the software design process was a topic of discussion at this year’s BSides Leeds, as pen testers look to lighten their load by making security a responsibility of all enterprise teams.
Dan Smart, an engineering test manager with Booking.com, explained how he’s been developing the company’s overall security strategy – a task that’s being focused around the education of software testers.
“Ultimately this is an exercise in the left-shifting of security, but it can also be seen as an alternative route into security testing,” Smart told conference attendees last week.
“With a bit of effort, everyone can have some security understanding and be somewhere on the scale of novice to expert.”
Thinking about the bigger picture
Beginning last year, Smart decided to go “rogue” and grow Booking.com’s security posture by teaching testers the hacking basics.
The e-commerce giant’s Manchester office, where Smart is based, had a CISO and small security team that “can only do so much”, he said.
“If we leave everything to the security team to find, they’re often firefighting and, unfortunately, at times, babysitting,” he said.
“They [the security team] should be thinking about the bigger picture, instead of finding XSS vulnerability after XSS vulnerability.”
Using the OWASP Top 10 as teaching material, Smart created security workshops for testers within the company, training a total of 15 employees to start.
“I spent my time helping the teams learn, helping them find the time to learn, helping them find the resources, and providing them with a safe place to learn,” Smart said.
He also encouraged testers to find other experts on the discussed security topics and become involved in the wider community.
“In doing so the testers can bring the knowledge back in their teams for the purposes of discussing security, alongside quality, and other testing discussions, on every aspect of the product lifecycle,” Smart said, adding how security was a teachable concept when explaining its importance to both customers and the company’s brand.
Testing the waters
The security workshops have since been rolled out to the rest of the test team, Smart said, with expansion into other teams coming alongside a centralized strategy that involves communicating “essential information about security testing” and documented guidelines on how to integrate security based on an employee’ role within the company.
Smart started by training testers partly because of his experience in doing the job himself. The company’s infrastructure also simplified the process.
“We have a tester in every product team, which works for us because we have embedded testers,” Smart said. “This way we can infiltrate each team and have a security ambassador on each one.”
He added: “If you don’t have embedded testers than this may not be the security solution for you, and that’s fine – there is no single correct answer to this puzzle.
“We want to create a process for all employees when they start with us.”
Testers have started to log security bugs since Smart began the training, and Booking.com plans to create a security guild comprising employees from different disciplines who all have a common interest in security.
“We want to publish standards of practice and work with individual teams in order to improve their security practices,” Smart said.
The travel reservation company has also started a public bug bounty program through HackerOne.
“Ultimately we want to bring this back in house,” Smart said.