Security: a chat with Dinis Cruz
Let’s have a last quick chat with one of the Codemotion Rome speakers: Dinis Cruz.
He is going to present two talks at Codemotion Rome 2016: “Writing Security (unit/integration) Tests using the OWASP O2 Platform” and “New Era of Software with modern Application Security”.
Dinis is focused on creating Application Security teams and providing Application Security assurance across the SDL (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by Applications developed internally, outsourced or purchased. He is also an active Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on ‘Automating Application Security Knowledge and Workflows’ which is the main concept behind the OWASP O2 Platform.
Hi Dinis, could you give us a quick introduction about your talk?
My presentation (“New Era of Software with modern Application Security”) is about a very interesting convergence that is happening between the techniques used by Application Security teams and how Software is developed (for example, techniques like: TDD, Docker, e2e Test Automation, Static/Dynamic/Interactive Analysis, JIRA Risk Workflows, Kanban for Security fixes, Web-Services Visualization, etc…)
My main thesis is that “Application Security can be used to define and measure Software Quality” (since not all quality issues are security issues, but all security issues are quality issues)
The idea is that Application Security is all about: a) the non-functional requirements of software, b) the unintended side effects of coding and c) really understanding HOW the software works (not just how it behaves),
Most companies (and teams) don’t have a software security problem, they have a development, testing and workflow problem.
Since Application Security is just a subset of quality and testing, the path to create Secure Applications is to improve the quality and testability of code and their SDL (Software Development Lifecycle)
Security it’s an hot topic, but compared to other topics in the IT world, is not something that in general we see at generic IT conferences, what are the reason behind that?
I think it is because we still have not found a good way to embed security and secure coding practices into the developer’s IDE and into day-to-day IT activities. Most ‘security’ tools and recommendations have negative impact/value, and are really like a tax that needs to be paid before/during/after development.
The other factor is that until recently, Security was a very niche problem which was addressed by ‘those guys over there’. Now that the threat and attack landscape has changed, we really need to start working together, and I believe that Application Security, can be a bridge between the multiple development, operational and business teams.
Is there any book about security you would suggest for developers and newbies?
For attacking: Hacking Exposed Web Applications
For defending: Iron-Clad Java: Building Secure Web Applications by OWASP’s Jim Manico.
If you could improve one thing in tech conferences, what would it be?
I think we need more women in technology and tech conferences. There is still far too much bravado and let’s just do it! approach in software development (which always has the side effect of creating tons of vulnerabilities).
What worries you the most in the IT industry?
How we are OK with not understanding how applications/software that we use every day really works (and more importantly, their side effects). As we increase the interconnectivity, complexity and power of our applications, we are sleepwalking into a massive digital disaster.
The good news is that we have time to do something about it. At the moment (March 2016), the risk for an person or company to be attacked, is still quite low (unless they happen to be targeted)
The bottom line is that for most companies, their main ‘defence capability’ is the ‘lack of focused attackers’ (namely the commercially focused ones, which are the really dangerous ones). Unfortunately, most companies still believe that the reason they have not been (properly) attacked is because they are secure.
What’s your current music album on repeat?
Gilberto Gil (and my Spotify list)
Thanks a lot Dinis, see you in a bit on stage 
