Application Security/Software Assurance

3416 - There Is No Plug & Play: Tips for Implementing Automated Software Security Testing Tools

Wednesday, October 10
3:00 PM - 4:00 PM
Location: Floor 2: Galerie 4

Numerous automated software security testing tools are available today to assist developers with reducing the amount of vulnerabilities in their software. From static code checkers to dynamic fuzzers to software composition analysis tools, there are many products in existence to aid in improving code security. Part of the lure of using such tools is not just that it will make your code more secure, but that it will automate much of this security, saving precious development time and money.

After participating with different organizations in several enterprise-level initiatives to introduce automated security testing tools to existing development projects, it became evident that two things are often severely underestimated: the effort required to get the tools running in place and the aftermath of getting the tools running in place. This talk will present an overview of challenges encountered implementing automated software testing tools, describe the often unforeseen impacts of introducing such tools, and make suggestions for successfully addressing these two areas of concern. The talk will draw on real-world case studies, which included formal surveys of project participants. These survey results, which show the role people play in the success of the tools, will be shared as part of the talk. One overriding theme of the studies is that testing automation requires people, and often more people than anticipated.


Learning Objectives:

Thomas P. Scanlon, MS, PhD, CISSP

Cybersecurity Researcher
Software Engineering Institute - Carnegie Mellon University

Thomas P. Scanlon is a proud CISSP who holds a doctoral degree in information systems and currently works as a senior cybersecurity researcher in the CERT Division of the Software Engineering Institute at Carnegie Mellon University. Prior to joining CMU, He completed 10-plus years of industry experience with Fortune 500 companies in IT leadership roles. Thomas currently specializes in applied research topics related to cybersecurity and software engineering such as secure architecture and design, integrating software assurance (SWA) into the full SDLC, cybersecurity evaluations of systems, security automation and RMF. He regularly performs sponsored work in these disciplines, at both the classified and unclassified levels, for numerous constituents including the Department of Defense, Department of Homeland Security, Defense Cyber Crime Center (DC3), Joint Federated Assurance Center (JFAC), U.S. Air Force, U.S. Army and U.S. Navy.


Send Email for Thomas Scanlon


3416 - There Is No Plug & Play: Tips for Implementing Automated Software Security Testing Tools



Presentation Slides




Attendees who have favorited this

Please enter your access key

The asset you are trying to access is locked. Please enter your access key to unlock.

Send Email for There Is No Plug & Play: Tips for Implementing Automated Software Security Testing Tools