• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Codemotion Magazine

Codemotion Magazine

We code the future. Together

  • Magazine
  • Dev Hub
    • Community Manager
    • CTO
    • DevOps Engineer
    • Backend Developer
    • Frontend Developer
    • Web Developer
    • Mobile Developer
    • Game Developer
    • Machine Learning Developer
    • Blockchain Developer
    • Designer – CXO
    • Big Data Analyst
    • Security Manager
    • Cloud Manager
  • Articles
    • Stories
    • Events
  • Sign In
Home » Dev Hub » Security Manager » Dinis Cruz: not all quality issues are security issues, but all security issues are quality issues.
Security Manager

Dinis Cruz: not all quality issues are security issues, but all security issues are quality issues.

Interview with Dinis Cruz and his talk at Codemotion Rome 2018, about how and why application security can be used to define and measure software quality.

Last update December 31, 2018 by Flavia Weisghizzi

Dinis Cruz is not only an outstanding drummer: he is also an active OWASP contributor.

He is focused on creating Application Security teams and providing Application Security assurance across the SDL (from development, to operations, to business processes, to board-level decisions). His work concerns the alignment of the business’s risk appetite with the reality created by Applications developed internally, outsourced or purchased. He is also an active Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on ‘Automating Application Security Knowledge and Workflows’ which is the main concept behind the OWASP O2 Platform.

We have had the pleasure to attend Dinis’ Keynote at Codemotion Rome.

Hi Dinis, could you give us a quick introduction about your talk?

My presentation (“New Era of Software with modern Application Security”) is about a very interesting convergence that is happening between the techniques used by Application Security teams and how Software is developed (for example, techniques like: TDD, Docker, e2e Test Automation, Static/Dynamic/Interactive Analysis, JIRA Risk Workflows, Kanban for Security fixes, Web-Services Visualization, etc…)

My main thesis is that “Application Security can be used to define and measure Software Quality” (since not all quality issues are security issues, but all security issues are quality issues)

The idea is that Application Security is all about: a) the non-functional requirements of software, b) the unintended side effects of coding and c) really understanding HOW the software works (not just how it behaves),

Most companies (and teams) don’t have a software security problem, they have a development, testing and workflow problem.

Since Application Security is just a subset of quality and testing, the path to create Secure Applications is to improve the quality and testability of code and their SDL (Software Development Lifecycle)

Security it’s an hot topic, but compared to other topics in the IT world, is not something that in general we see at generic IT conferences, what are the reason behind that?

I think it is because we still have not found a good way to embed security and secure coding practices into the developer’s IDE and into day-to-day IT activities. Most ‘security’ tools and recommendations have negative impact/value, and are really like a tax that needs to be paid before/during/after development.

The other factor is that until recently, Security was a very niche problem which was addressed by ‘those guys over there’. Now that the threat and attack landscape has changed, we really need to start working together, and I believe that Application Security, can be a bridge between the multiple development, operational and business teams.

Is there any book about security you would suggest for developers and newbies?

For attacking: Hacking Exposed Web Applications
For defending: Iron-Clad Java: Building Secure Web Applications by OWASP’s Jim Manico.

You are a regular speaker at many tech conferences. If you could improve one thing, what would it be?

I think we need more women in technology and tech conferences. There is still far too much bravado and let’s just do it! approach in software development (which always has the side effect of creating tons of vulnerabilities).

What worries you the most in the IT industry?

How we are OK with not understanding how applications/software that we use every day really works (and more importantly, their side effects). As we increase the interconnectivity, complexity and power of our applications, we are sleepwalking into a massive digital disaster.

The good news is that we have time to do something about it. At the moment, the risk for an person or company to be attacked, is still quite low (unless they happen to be targeted)

The bottom line is that for most companies, their main ‘defence capability’ is the ‘lack of focused attackers’ (namely the commercially focused ones, which are the really dangerous ones). Unfortunately, most companies still believe that the reason they have not been (properly) attacked is because they are secure.

What’s your current music album on repeat?

Gilberto Gil (and my Spotify list)

Thanks a lot Dinis, see you soon again at one of the next Codemotion events!

Tagged as:Codemotion Rome Interview

Let’s all discover TensorFlow Eager and TensorFlow Lite
Previous Post
Security in the IoT generation: the Guy Rombaut point of view
Next Post

Primary Sidebar

Subscribe to our newsletter

I consent to the processing of personal data in order to receive information on upcoming events, commercial offers or job offers from Codemotion.
THANK YOU!

Whitepaper & Checklist: How to Organise an Online Tech Conference

To help community managers and companies like ours overcome the Covid-19 emergency we have decided to share our experience organizing our first large virtual conference. Learn how to organise your first online event thanks to our success story – and mistakes!

DOWNLOAD

Latest

we love founders

Thinking Like a Founder – meet Chad Arimura

CTO

Move Over DevOps, It’s Time for DesignOps and the Role of UX Engineer

Designer - CXO

developer

The State of AI in 2021

Machine Learning Developer

Machine Learning on the Network Edge

The Rise of Machine Learning at the Network Edge

Machine Learning Developer

robot programming

Are You Ready for the FaaS Wars?

Backend Developer

Related articles

  • The Lifecycle of a Remote Code Execution Security Incident
  • Does open source software have a security problem?
  • What a Security Engineer & Software Engineer Learned by Swapping Roles
  • How to Prepare IT Infrastructure For Coworking Spaces
  • So you want to work in cybersecurity?
  • Peter Todd: Helping people to solve their problem with Cryptography
  • Cybersecurity is as much about social engineering as bugs
  • Life-cycle of a security incident: from detection to response
  • 5G: what’s in it for developers?
  • 5G: what’s in it for security?

Subscribe to our newsletter

I consent to the processing of personal data in order to receive information on upcoming events, commercial offers or job offers from Codemotion.
THANK YOU!

Footer

  • Learning
  • Magazine
  • Community
  • Events
  • Kids
  • How to use our platform
  • About Codemotion Magazine
  • Contact us
  • Become a contributor
  • How to become a CTO
  • How to run a meetup
  • Tools for virtual conferences

Follow us

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
  • YouTube
  • RSS

DOWNLOAD APP

© Copyright Codemotion srl Via Marsala, 29/H, 00185 Roma P.IVA 12392791005 | Privacy policy | Terms and conditions

  • Learning
  • Magazine
  • Community
  • Events
  • Kids
  • How to use our platform
  • About Codemotion Magazine
  • Contact us
  • Become a contributor
  • How to become a CTO
  • How to run a meetup
  • Tools for virtual conferences

Follow us

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
  • YouTube
  • RSS

DOWNLOAD APP

CONFERENCE CHECK-IN