• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Codemotion Magazine

Codemotion Magazine

We code the future. Together

  • Discover
    • Live
    • Tech Communities
    • Hackathons
    • Coding Challenges
    • For Kids
  • Watch
    • Talks
    • Playlists
    • Edu Paths
  • Magazine
    • Backend
    • Frontend
    • AI/ML
    • DevOps
    • Dev Life
    • Soft Skills
    • Infographics
  • Talent
    • Discover Talent
    • Jobs
  • Partners
  • For Companies
  • IT
  • ES
Home » Security Manager » Dinis Cruz: not all quality issues are security issues, but all security issues are quality issues.

Dinis Cruz: not all quality issues are security issues, but all security issues are quality issues.

Interview with Dinis Cruz and his talk at Codemotion Rome 2018, about how and why application security can be used to define and measure software quality.

December 31, 2018 by Flavia Weisghizzi

Dinis Cruz is not only an outstanding drummer: he is also an active OWASP contributor.

He is focused on creating Application Security teams and providing Application Security assurance across the SDL (from development, to operations, to business processes, to board-level decisions). His work concerns the alignment of the business’s risk appetite with the reality created by Applications developed internally, outsourced or purchased. He is also an active Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on ‘Automating Application Security Knowledge and Workflows’ which is the main concept behind the OWASP O2 Platform.

We have had the pleasure to attend Dinis’ Keynote at Codemotion Rome.

Hi Dinis, could you give us a quick introduction about your talk?

My presentation (“New Era of Software with modern Application Security”) is about a very interesting convergence that is happening between the techniques used by Application Security teams and how Software is developed (for example, techniques like: TDD, Docker, e2e Test Automation, Static/Dynamic/Interactive Analysis, JIRA Risk Workflows, Kanban for Security fixes, Web-Services Visualization, etc…)

My main thesis is that “Application Security can be used to define and measure Software Quality” (since not all quality issues are security issues, but all security issues are quality issues)

The idea is that Application Security is all about: a) the non-functional requirements of software, b) the unintended side effects of coding and c) really understanding HOW the software works (not just how it behaves),

Most companies (and teams) don’t have a software security problem, they have a development, testing and workflow problem.

Since Application Security is just a subset of quality and testing, the path to create Secure Applications is to improve the quality and testability of code and their SDL (Software Development Lifecycle)

Security it’s an hot topic, but compared to other topics in the IT world, is not something that in general we see at generic IT conferences, what are the reason behind that?

I think it is because we still have not found a good way to embed security and secure coding practices into the developer’s IDE and into day-to-day IT activities. Most ‘security’ tools and recommendations have negative impact/value, and are really like a tax that needs to be paid before/during/after development.

The other factor is that until recently, Security was a very niche problem which was addressed by ‘those guys over there’. Now that the threat and attack landscape has changed, we really need to start working together, and I believe that Application Security, can be a bridge between the multiple development, operational and business teams.

Is there any book about security you would suggest for developers and newbies?

For attacking: Hacking Exposed Web Applications
For defending: Iron-Clad Java: Building Secure Web Applications by OWASP’s Jim Manico.

You are a regular speaker at many tech conferences. If you could improve one thing, what would it be?

I think we need more women in technology and tech conferences. There is still far too much bravado and let’s just do it! approach in software development (which always has the side effect of creating tons of vulnerabilities).

What worries you the most in the IT industry?

How we are OK with not understanding how applications/software that we use every day really works (and more importantly, their side effects). As we increase the interconnectivity, complexity and power of our applications, we are sleepwalking into a massive digital disaster.

The good news is that we have time to do something about it. At the moment, the risk for an person or company to be attacked, is still quite low (unless they happen to be targeted)

The bottom line is that for most companies, their main ‘defence capability’ is the ‘lack of focused attackers’ (namely the commercially focused ones, which are the really dangerous ones). Unfortunately, most companies still believe that the reason they have not been (properly) attacked is because they are secure.

What’s your current music album on repeat?

Gilberto Gil (and my Spotify list)

Thanks a lot Dinis, see you soon again at one of the next Codemotion events!

facebooktwitterlinkedinreddit
Share on:facebooktwitterlinkedinreddit

Tagged as:Codemotion Rome Interview Security Manager

Let’s all discover TensorFlow Eager and TensorFlow Lite
Previous Post
Security in the IoT generation: the Guy Rombaut point of view
Next Post

Related articles

  • Combining Company Data with Generative Conversational AI Without Losing Privacy and Compliance
  • Why You Need Application Mapping for Your Microservices Applications
  • Ionic Framework: Why It’s Still Relevant
  • Linux: The Open Source Revolution and Its Impact on the Lives of Developers
  • From Smoking Meat to Monitoring Railways and Dams: Why Creativity is Key in the Career of a Software Developer
  • Codemotion Magazine Among the 30 Best Developer Blogs on FeedSpot
  • Why do Programmers Hate LinkedIn?
  • How to Set Up a Cypress TypeScript Project
  • What Is CloudOps and How to Implement It in Your Organization?
  • Best Practices for Building a Scalable Vue.js Application

Primary Sidebar

Free Whitepaper: The Ultimate Azure Cybersecurity Handbook.

Codemotion Talent · Remote Jobs

Flutter Developer

3Bee
Full remote · Android · Flutter · Dart

Python Back-end Developer

h-trips.com
Full remote · Django · Pandas · PostgreSQL · Python

AWS Cloud Architect

Kirey Group
Full remote · Amazon-Web-Services · Ansible · Hibernate · Kubernetes · Linux

AWS SysOps Administrator

S2E | Solutions2Enterprises
Full remote · Amazon-Web-Services · Terraform · Linux · Windows · SQL · Docker · Kubernetes

Latest Articles

scalable vue.js application

Best Practices for Building a Scalable Vue.js Application

Frontend

microservices digital transformation. From monolith to microservices concept.

Why You Need Application Mapping for Your Microservices Applications

Microservices

cross-platform development, frameworks

Ionic Framework: Why It’s Still Relevant

Mobile Developer

Linux: The Open Source Revolution and Its Impact on the Lives of Developers

Dev Life

Footer

  • Magazine
  • Events
  • Community
  • Learning
  • Kids
  • How to use our platform
  • Contact us
  • Become a Contributor
  • About Codemotion Magazine
  • How to run a meetup
  • Tools for virtual conferences

Follow us

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
  • YouTube
  • RSS

© Copyright Codemotion srl Via Marsala, 29/H, 00185 Roma P.IVA 12392791005 | Privacy policy | Terms and conditions

Follow us

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
  • RSS