Sarah Clarke is a Senior Security Engineer at Genesys Telecommunications. She has 12 years of experience in IT, seven of which have specialized in Security. She has worked with nonprofit, government contracting, ISP, financial sector, and telecommunications organizations; currently, she is enjoying serving as application security testing and vulnerability management SME for Genesys Cloud, a global SaaS IVR and virtual call center PCI (and etc) compliant service provider.
Sarah’s passion for application security began with the Toyota break failure bug and continued with the work by Barnaby Jack and Jay Radcliffe on poor software design causing fatal error conditions in pacemakers and insulin pumps. She chooses to focus on helping teams make better software, to protect the innocent, save lives and identities.
Sarah is a member of Infraguard, holds four industry certifications, recently presented at Shmoocon Firetalks 2014, and volunteers to support the security community whenever possible.
Lessons Learned Implementing a SDLC
Developers and Quality Engineers are wonderful people who understand how to create, test, and validate features. They frequently aren’t, however, educated in school on architecting applications to prevent security failures, coding to not introduce security bugs, and testing to validate secure functionality.
The language of development – features, releases, agile – is not the same as security – XSS, CSRF, managing session state.
We have to communicate better with our developers and QEs, to inspire them to care, in their language; we have to work with senior management to identify how security fits into their needs to get buy-in and support.
This is a discussion on how that communication works best; overcoming cultural sticking points, and iterating through creating a process that creates better code without slowing down business.