Home > Ask the Software Quality Experts > Application Security Questions & Answers > The most effective time to do security testing
Ask The Software Quality Expert: Questions & Answers
EMAIL THIS

The most effective time to do security testing

Chris Wysopal EXPERT RESPONSE FROM: Chris Wysopal

Pose a Question
Other Software Quality Categories
Meet all Software Quality Experts
Become an Expert for this site


Software quality news and advice
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


>
QUESTION POSED ON: 22 October 2007
At what point in the software development lifecycle (SDLC) is it appropriate, and most effective, to conduct security testing?

>
EXPERT RESPONSE
For years testing applications for security meant a pen test, or penetration test, at deployment. For almost as long, security consultants have urged users to push security testing to earlier in the development lifecycle. I agree. Threat modeling, security requirements definition and architectural reviews are critical during the design phase. During the development phase, however, you need to account for code velocity or code churn. It is not efficient to test applications for security while code is being added and removed in large chunks. Once one gets to the build stage, this changes. Major features are largely in place and code churn is lower. I recommend static analysis as builds progress, followed by static analysis and dynamic analysis as a staging environment is ready.

In the past, companies would focus on run-time security, i.e. testing applications after they are deployed in live environments, such as a Web site/ecommerce site. Over the past few years, many companies have been advocating the philosophy that you should start testing as early as possible. Why? If you catch potential vulnerabilities early, they are easier to fix and you will avoid much higher costs that could result from a breach later. The downside of that approach is that developers who are not security experts are spending significant amounts of time learning about and concentrating on security rather than focusing on writing good, functional code.

I have a different perspective. Rather than scanning an application every day or week, I recommend focusing on key milestones in the software development lifecycle. Testing code doesn't make sense until applications are past the build stage, i.e. at the integration testing level. That's because until you get to the integration testing level where the code is able to be compiled, you are looking at piecemeal code. Critical milestones are unit integration testing, alpha testing, beta testing, pre-deployment (staging environment), and then during the deployment cycle, typically quarterly for compliance assessments. I call this "injecting" best practices at critical milestones in the SDLC.


Sound Off! -   


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


RELATED CONTENT
Application Security
How to prevent anti-DNS pinning attacks
Open source application security testing tools
Java application security features and measures
Web application security testing basics
Password recovery with .NET 2.O using C#
Free load and performance testing tools
Finding backdoor threats within applications
SPML and SAML enhance application security in different ways
Authentication and authorization for Web applications
How to implement security in Java EE and Java ME

Building security into the SDLC (Software development life cycle)
Application security enters uncharted regions
How to prevent XPath injection
Developers get bigger role in software quality, security
InfoSecurity 2008 Threat Analysis, Chapter 4: XSS Theory
How to prevent anti-DNS pinning attacks
Java application security features and measures
Microsoft's Michael Howard: Security must be a part of every application
How to get developers to buy into software security
Password recovery with .NET 2.O using C#
How to address security during requirements gathering

Software security testing and techniques
Web application security testing basics
Getting started with Web application misuse cases
OWASP kicks off Summer of Code 2008
Video: Classification, detection of application backdoor attacks
Testing custom applications in a manufacturing context
Ajax security concerns you need to be aware of
Web application hacking: Inside the mind of an attacker
InfoSecurity 2008 Threat Analysis, Chapter 4: XSS Theory
How to define the scope of functional security testing
Cracking passwords the Web application way

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2006 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts