Matthew Lindfield Seager

Matthew Lindfield Seager

Testing Security Controls

I’m working my way through RailsConf 2019 and I keep finding gems (excuse the pun).

No Such Thing as a Secure Application by Lyle Mullican was one such gem.

Some highlights for me were:

On Automated tests

Learning to test made me write better code… When we start to think about writing security tests we design better security controls

[Even] if you’re not testing your security controls, somebody [else] probably is… and you really don’t want to outsource security testing to the Internet

On Static Analysis

If you get false positives from a static analysis tool it might be a code smell:

If I’ve made my code hard for Brakeman to understand and reason about then I’m probably making it too hard for people to understand as well


How well do we react to failure:

  • In our app?
    • Segmenting
    • Limiting fall out
  • In our culture?
    • Blame others? Head in sand?
    • Or strive to iterate and improve the security system?

Other nuggets

  • Combine unit testing, static analysis, dynamic tests and manual tests for Defence in Depth
  • Exploits take time… a tripwire or automated black list might be worthwhile