How do you do security testing if you don't have an army of ninjas? Hire one of the few available? Train an existing, uninterested, full-time quality engineer, using development-focused and penetration-tester-focused courses and materials like SANS, OWASP, and CAPEC? Automated scanning or penetration testing, which both require expertise for interpreting results, removing false positives, and offer limited coverage?
Andrea Doherty has been a security champion, security architect, and security advisor for the past 19 years. She specified, designed and built security applications for 13 years at RSA – the Security Division of EMC, and spent the last year working for the EMC Product Security Office leading the SDL Enablement Team, which produces guidance, methodologies, and tools on best practices for applying all phases of the application security development lifecycle for product teams across EMC. She is also an Application Security Advisor for a major EMC Business Unit. Andrea represented RSA in the IETF KEYPROV Working Group, and was editor of RFC6063.