Offensive application security (penetration) testing is a technically demanding cybersecurity specialization with a growing demand for proficient security specialists. Despite the demand, there is a lack of established standards, guidelines, and best practices to cultivate effective teams. In contrast, software engineering benefits from a thriving culture and extensive literature dedicated to optimizing team and individual performance. Undergraduate and graduate programs provide aspiring engineers with comprehensive curricula that covers the technical, philosophical, and soft skills fundamentals of the discipline. Lacking formalized or structured training, application penetration testers typically acquire skills through on-the-job experience or a patchwork of online resources and certifications. Given the role of application security specialists in identifying vulnerabilities in critical systems, the absence of comprehensive training programs and evaluation frameworks may have a substantial (though unquantified) impact on the security posture of today's applications. Resources for building effective offensive application security teams are even more sparse.
This talk will share notable insights, challenges, and novel approaches, towards the management and development of a fully remote (work-from-home) offensive application security team operating within a consultancy. This talk will describe the successes, failures, and future work in the pursuit of developing a comprehensive and empirically grounded framework for building an optimally effective team. Though technical proficiency is an essential focus, this talk will also cover additional elements of effective teams, including team cohesiveness, communication, and the supporting processes and systems. The following key areas of focus will be covered:
- Understanding security and penetration testing in the context of human performance informed by technical skills training of surgeons
- The development and delivery of an offensive application security curriculum
- Implementing effective skill and talent assessment for hiring across experience levels
- Utilizing effective fully remote communication and collaboration strategies to engage teams and inform decision making
- Managing ongoing research and development projects as necessary side projects
- Applying empirical approaches to evolve penetration testing systems and methodology