It's a good general rule to do a comprehensive security examination of your applications on a periodic basis (e.g.,...
every quarter or every six months) or after any significant changes have been made. That way, you can uncover flaws that have been introduced into the code, have been found by others, or are better detected by your security testing tools or penetration testers.
Your development team needs to consider what a significant change is in terms of your application and company. Lots of little changes every two to three weeks can add up to big changes in the code base and overall attack surface. I worked on a project once where I uncovered SQL injection in a Web application. The issue was resolved, but the developer continued making other changes. Guess what? The original SQL injection flaw was reintroduced and subsequent security testing was not performed. Unfortunately, a criminal hacker discovered the flaw and this business suddenly had a credit card data breach to deal with.
Some people scan their applications and source code in near-real time, while others do it every few months. You might consider scanning more often (e.g., every week or month) and performing a more comprehensive security assessment less often (e.g., one to two times per year).
With lots of small iterations, it probably makes sense to run an automated scan as frequently as you iterate. With two-week iterations, for example, it would make sense to start with a source code scan every two weeks. If security problems keep popping up, consider scanning more frequently to weed out the source. If problems are rare, you might consider cutting back to once a month and going from there. These regular scans will help keep applications secure between more in-depth security audits.
There is no magic number I can offer to answer your question, but I can say that you need to do a comprehensive security examination periodically and consistently. Only you will know what's best for your environment and your business. Frequent smaller exams can give you the feedback you need to make the decision.
Selling security: Get management to help fix software vulnerabilities
How to gather security requirements for software projects and what to look for
Where can I find software security test plan templates?
Dig Deeper on Software Security Test Best Practices
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.