Richard Ford's abstract

Security Testing != Testing

In many development organizations, the security “expert” is a wizard, paid top dollar, and held in high regard. In contrast, testers seldom reach this status, and are all too often seen as a step “below” the programmers in the organization. A tester and a security tester are not fungible… not even close. Despite this being a caricature, it does represent a fairly common perception of these roles, and begs the question of the difference in skillset between a competent tester and a competent security tester.  Against the backdrop of a massive shortage in qualified security experts, the continuum of security testing levels are described, ranging from the simple to the esoteric, and the skills, knowledge, and analytical abilities discussed. By the end of the session, some of the key differences in perception and in actual skills will have been highlighted, and a list of the challenges in and returns of training testers to be more security savvy  outlined.