Is collaboration needed for security test or can that be outsourced?
For most organizations, security testing is handled by specialists and limited to functions like vulnerability scanning, patching desktops and looking at network weaknesses. If you follow industry news, you might make the assumption that the black hats are the only people out there actually doing security testing, as they seem to find and exploit errors on a regular basis -- I guess you could call this “outsourcing.”
In reality, no matter how good your security testing tools might be, you will need experts to help assess your applications. A big risk is complacency; even if you have done some basic scanning and testing, you s till need a specialized security expert roll up their sleeves and really run your software through the vulnerability wringer. Thus, I think some form of collaboration in security testing is always needed to do a thorough job.
In response to the original question, yes, collaboration is almost always needed. As for outsourcing, my advice is to keep it in-house, even if you have to hire an expert to assist occasionally, as it is your reputation on the line and not necessarily the outsourcing firm’s.
This was first published in April 2011