Making the most of Security Tests

There is a number of security tests such as security code reviews, white box testing, penetration testing, red teaming to assure the security of a product and an environment where it is deployed.
Some of the tests are mandated by the Secure Development Lifecycle, but some remain optional. The open question remains, when to use a particular test and how it impacts the ultimate decision whether a particular product requires additional investments.

This presentation uses a real-world red team attack against a multi-layer product as an example for discussing the differences of security tests. It shows, how the attacker starts with user-facing XML-RPC interface, breaks through multiple defense layers and ends up with root access to the database server and target data exfiltration. The example points out:
- different areas where the tests improve the knowledge about the security risks of the product,
- what are the requirements to obtain actionable results and
- who needs to be involved to actually benefit from the results reported.
The presentation encourages expanding the security tests beyond the product features towards the security of the environment where it is deployed, supporting processes, as well as a product developers and administrators. It also shows, how the closer collaboration between different teams improves the overall security of the product