Security testing is very specialized. Is it better to outsource this effort to a security testing service or should in-house testers be responsible for security testing?
Whether the security test effort is outsourced to a specialized security testing service or is handled in-house, it’s important for the entire team to have some background in and understanding of the security vulnerabilities of the application being tested. As a project manager, one role you can play is to pull the team together early in the project planning stage and promote a risk-based approach to security testing.
As a project manager, one role you can play is to promote a risk-based approach to security testing.
In a recent article on addressing security in the software testing lifecycle, I make the point that it’s important to work with product managers and business leaders to understand business risks associated with security exposures. “The first step is to understand the business risks that might be exposed by the application. Could there be a financial loss? Is there an exposure that might result in a liability? Tie technical risks to the business. What would be the business loss if there was a technical failure?”
Understanding both the impact and the probability of security events helps you identify the areas of biggest risk. The technical team needs to look at the architecture and understand the common attacks that may occur with the technology being used. For example, Web-based applications are vulnerable to different types of attacks than desktop applications.
Once the project team members have a better understanding of the exposures and business risks, they will be better able to make decisions about whether to test and what kind of expertise they need to test. For highly complex or high-risk exposure, it might be best to outsource to a security testing service or a consulting group that has specialized skills in the areas of high vulnerability. However, in-house staff should still be educated and aware of how they can participate in early vetting of requirements and early testing.
Take advantage of online resources that are available including the many articles on SearchSoftwareQuality about security test to help the team become well-educated on how to best combat security problems.
Do you have a question to ask our experts? Let us know and we'll pass it on!
This was first published in March 2013