It’s been a busy week and I’m itching to start the weekend, so this week’s post is going to be short, but I’ll make up for that with extra blog posts next week. I take off for Nashville in about forty-eight hours. This conference is going to be a real challenge to cover on my own, but it should be a really fun challenge. Plus, I’m looking forward to announcing some news from one of our application security experts.
I still can’t decide on most of the sessions I’ll actually end up being in. I found a session on integration testing on Monday afternoon so that’s one place and time you’ll find me. I’m looking for some other good sessions on testing. If you’re going to be at Agile 2013, feel free to let me know what sessions I should be at and haven’t found yet.
On a separate note – to show I’m not purely dedicated to Agile2013 all the time – I’d like to mention a call I had earlier today. One of our regular security experts – Dan Cornell – is deeply involved in an open source project called ThreadFix. What ThreadFix does (in the most general of terms) is to take the vulnerabilities that security testers find, collect them all in one place, and then convert them into code defects that fit in with the work a developer is already doing. That makes it much easier to get developers (and their managers) focused on security in a concrete and operable way.
Dan gave me a sneak peek at what the next steps are for the ThreadFix project. I can’t really say what that is or what it means until after the official release comes out next week. However, I will say that it makes a lot of sense and should make the concepts behind ThreadFix more adoptable and more available to more organizations. This is a good thing because it seems like application security issues are being treated like second rate citizens in most software quality programs. I’d like to see more effective long-term solutions emerge for software security testing – and more importantly fixing.
Do you think your organization handles security particularly well or particularly poorly? I’d love to have a chat about it. We don’t have to mention anything identifiable about your organization (unless you want to). Shoot me an email or find me on Twitter @TTJDenman. Oh, and speaking of Twitter – I’ll be sounding off throughout next week’s festivities on the #Agile2013 hash tag.