Re: [SC-L] Security Testing track: Software Testing Conference:Washington DC

2007-09-06 Thread Chris Wysopal

There has been some movement in this direction and I think you are
correct that that we need to educate the mainstream QA audience just as
we must educate the mainstream developer audience.  I am giving a
keynote on software security testing at Practical Quality and Software
Testing in Minneapolis next week: http://www.psqtconference.com/. I am
also speaking at STPCon on prioritizing security testing.  There are
also speakers from SPI Dynamics and Ounce Labs at that conference.  If
you know of other QA conferences please post them here as I am
interested at speaking to this audience and I have found them bery
receptive to security testing topics.

Another educational approach is to target this community when we write
books and magazine articles on software security. One of the goals of my
book, The Art of Software Security Testing was to bring the concepts
of security testing to a traditional QA audience.  To that end I teamed
up with Elfriede Dustin, an author of several QA books, and an organizer
of the Verify conference to make sure the book spoke to the right
audience.

I know Joseph Feiman at Gartner has software security testing as a focus
area.  He has written a few research notes on the topic.

-Chris

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McGovern, James F
(HTSC, IT)
Sent: Tuesday, August 28, 2007 10:39 AM
To: sc-l@securecoding.org
Subject: Re: [SC-L] Security Testing track: Software Testing
Conference:Washington DC

 Upon reading this, I had several thoughts come to mind:

1. If we are to truly solve the last mile, we need to also choose more
mainstream conferences such as STPCon (http://www.stpcon.com) since they
also have an associated magazine (Software Test and Performance) which
may stimulate more magazine articles on the topic. I did a quick run
upstairs to our QA folks and asked them what magazines do they read as
well as awareness of certain conferences.

2. What do you think we can do as a unified group of individuals in
terms of a listserv to encourage various industry analyst firms such as
Gartner, Forrester and The Burton Group to talk about Secure Software
Testing as a research area? Many CIOs and other IT executives put lots
of value into what they say. We need more top down.

3. What would it take to get more speaker diversity? We have to figure
out how to get more end-customers telling their own stories vs vendors
and consulting firms

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paco Hope
Sent: Thursday, August 16, 2007 1:41 PM
To: Secure Coding
Subject: [SC-L] Security Testing track: Software Testing
Conference:Washington DC


Hey folks,

One of my strong beliefs is that we're never going to close the loop on
Building Security In until we get the QA side of the house involved in
security. To that end, I'm co-chairing VERIFY 2007, a software testing
conference where we have a security testing track. (In addition to more
typical QA issues like test automation) I thought some folks on this
list may be interested in attending, or passing it on to your colleagues
in QA organizations.

Conference web site is http://verifyconference.com/ and you can get a
2-page Conference in a Nutshell PDF here:
http://verifyconference.com/images/verify/verify2007.pdf

Please help me spread the word.

Thanks,
Paco
--
Paco Hope, CISSP
Co-Chair, VERIFY 2007
http://verifyconference.com/ * +1.703.606.1905



*
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If
you are not the intended recipient, please notify the sender immediately
by return e-mail, delete this communication and destroy all copies.

*


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org List
information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com) as a free, non-commercial service to the software
security community.
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Security Testing track: Software Testing Conference:Washington DC

2007-08-28 Thread McGovern, James F (HTSC, IT)
 Upon reading this, I had several thoughts come to mind:

1. If we are to truly solve the last mile, we need to also choose more
mainstream conferences such as STPCon (http://www.stpcon.com) since they
also have an associated magazine (Software Test and Performance) which
may stimulate more magazine articles on the topic. I did a quick run
upstairs to our QA folks and asked them what magazines do they read as
well as awareness of certain conferences.

2. What do you think we can do as a unified group of individuals in
terms of a listserv to encourage various industry analyst firms such as
Gartner, Forrester and The Burton Group to talk about Secure Software
Testing as a research area? Many CIOs and other IT executives put lots
of value into what they say. We need more top down.

3. What would it take to get more speaker diversity? We have to figure
out how to get more end-customers telling their own stories vs vendors
and consulting firms

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paco Hope
Sent: Thursday, August 16, 2007 1:41 PM
To: Secure Coding
Subject: [SC-L] Security Testing track: Software Testing
Conference:Washington DC


Hey folks,

One of my strong beliefs is that we're never going to close the loop on
Building Security In until we get the QA side of the house involved in
security. To that end, I'm co-chairing VERIFY 2007, a software testing
conference where we have a security testing track. (In addition to more
typical QA issues like test automation) I thought some folks on this
list may be interested in attending, or passing it on to your colleagues
in QA organizations.

Conference web site is http://verifyconference.com/ and you can get a
2-page Conference in a Nutshell PDF here:
http://verifyconference.com/images/verify/verify2007.pdf

Please help me spread the word.

Thanks,
Paco
--
Paco Hope, CISSP
Co-Chair, VERIFY 2007
http://verifyconference.com/ * +1.703.606.1905


*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___