Graeme Dawes - Fotolia
It's a good general rule to do a comprehensive security examination of your applications on a periodic basis (e.g., every quarter or every six months) or after any significant changes have been made. That way, you can uncover flaws that have been introduced into the code, have been found by others, or are better detected by your security testing tools or penetration testers.
Your development team needs to consider what a significant change is in terms of your application and company. Lots of little changes every two to three weeks can add up to big changes in the code base and overall attack surface. I worked on a project once where I uncovered SQL injection in a Web application. The issue was resolved, but the developer continued making other changes. Guess what? The original SQL injection flaw was reintroduced and subsequent security testing was not performed. Unfortunately, a criminal hacker discovered the flaw and this business suddenly had a credit card data breach to deal with.
Some people scan their applications and source code in near-real time, while others do it every few months. You might consider scanning more often (e.g., every week or month) and performing a more comprehensive security assessment less often (e.g., one to two times per year).
With lots of small iterations, it probably makes sense to run an automated scan as frequently as you iterate. With two-week iterations, for example, it would make sense to start with a source code scan every two weeks. If security problems keep popping up, consider scanning more frequently to weed out the source. If problems are rare, you might consider cutting back to once a month and going from there. These regular scans will help keep applications secure between more in-depth security audits.
There is no magic number I can offer to answer your question, but I can say that you need to do a comprehensive security examination periodically and consistently. Only you will know what's best for your environment and your business. Frequent smaller exams can give you the feedback you need to make the decision.
Selling security: Get management to help fix software vulnerabilities
How to gather security requirements for software projects and what to look for
Where can I find software security test plan templates?
Dig Deeper on Topics Archive
Related Q&A from Kevin Beaver
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading