
	Home > Ask the Software Quality Experts > Application Security Questions & Answers > The most effective time to do security testing

Ask The Software Quality Expert: Questions & Answers

EMAIL THIS

The most effective time to do security testing

EXPERT RESPONSE FROM: Chris Wysopal

		Pose a Question

		Other Software Quality Categories

		Meet all Software Quality Experts
		Become an Expert for this site

Software quality news and advice

Digg This! StumbleUpon Del.icio.us

QUESTION POSED ON: 22 October 2007
At what point in the software development lifecycle (SDLC) is it appropriate, and most effective, to conduct security testing?

For years testing applications for security meant a pen test, or penetration test, at deployment. For almost as long, security consultants have urged users to push security testing to earlier in the development lifecycle. I agree. Threat modeling, security requirements definition and architectural reviews are critical during the design phase. During the development phase, however, you need to account for code velocity or code churn. It is not efficient to test applications for security while code is being added and removed in large chunks. Once one gets to the build stage, this changes. Major features are largely in place and code churn is lower. I recommend static analysis as builds progress, followed by static analysis and dynamic analysis as a staging environment is ready.

In the past, companies would focus on run-time security, i.e. testing applications after they are deployed in live environments, such as a Web site/ecommerce site. Over the past few years, many companies have been advocating the philosophy that you should start testing as early as possible. Why? If you catch potential vulnerabilities early, they are easier to fix and you will avoid much higher costs that could result from a breach later. The downside of that approach is that developers who are not security experts are spending significant amounts of time learning about and concentrating on security rather than focusing on writing good, functional code.

I have a different perspective. Rather than scanning an application every day or week, I recommend focusing on key milestones in the software development lifecycle. Testing code doesn't make sense until applications are past the build stage, i.e. at the integration testing level. That's because until you get to the integration testing level where the code is able to be compiled, you are looking at piecemeal code. Critical milestones are unit integration testing, alpha testing, beta testing, pre-deployment (staging environment), and then during the deployment cycle, typically quarterly for compliance assessments. I call this "injecting" best practices at critical milestones in the SDLC.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Application Security
	Are SQL injection attacks really a big software security risk?
	Beating software's cross-site scripting, authentication problems
	Expert resolves issues plaguing OpenSTA users
	What is fuzz testing? What are some ways to use fuzz testing?
	How do I convince management to take application security seriously?
	Security testing sales, marketing websites
	Top tools for testing Web application security
	How to prevent HTTP response splitting
	PCI DSS compliance: WAF, code review or both?
	Open source application security testing tools

Building security into the SDLC (Software development life cycle)

ALM boundaries are expanding in application development

Top software testing and quality assurance news stories from 2009

Aligning business goals with Focus Stories

Which requirements have the greatest effect on quality in software development?

How to write an SRS document for three different databases

Problems caused by skipping analysis stage of SDLC

Inexpensive phase of SDLC to catch and fix bugs

GatherSpace beefs up cloud-based requirements management

ALM: Best of breed vs. complete systems

Software development life cycle phases, iterations, explained step by step

Software security testing and techniques

Why use POST vs. GET to keep applications secure

Old problems persist in Web 2.0 security practices

Application security checklist: Ways to beat cross-site request forgery

Are SQL injection attacks really a big software security risk?

Managing software testing: Five focus-improvement tips

Web server weaknesses you don't want to overlook

Using firewalls for software testing: Pros and cons

Beating software's cross-site scripting, authentication problems

Application security checklist: Finding, eliminating SQL injection flaws

Free Web proxy security tools software testers should get to know

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

SQL injection (SearchSoftwareQuality.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Software Quality - Software Maintenance, Software Requirements, Software Standards

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2006 - 2010, TechTarget \| Read our Privacy Policy