Graeme Dawes - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How often should we do a comprehensive security exam?

For an enterprise application, assuming our development team does lots of little changes (in two- to three-week iterations), how frequently should we do a comprehensive security examination?

It's a good general rule to do a comprehensive security examination of your applications on a periodic basis (e.g., every quarter or every six months) or after any significant changes have been made. That way, you can uncover flaws that have been introduced into the code, have been found by others, or are better detected by your security testing tools or penetration testers.

Your development team needs to consider what a significant change is in terms of your application and company. Lots of little changes every two to three weeks can add up to big changes in the code base and overall attack surface. I worked on a project once where I uncovered SQL injection in a Web application. The issue was resolved, but the developer continued making other changes. Guess what? The original SQL injection flaw was reintroduced and subsequent security testing was not performed. Unfortunately, a criminal hacker discovered the flaw and this business suddenly had a credit card data breach to deal with.

Some people scan their applications and source code in near-real time, while others do it every few months. You might consider scanning more often (e.g., every week or month) and performing a more comprehensive security assessment less often (e.g., one to two times per year).

With lots of small iterations, it probably makes sense to run an automated scan as frequently as you iterate. With two-week iterations, for example, it would make sense to start with a source code scan every two weeks. If security problems keep popping up, consider scanning more frequently to weed out the source. If problems are rare, you might consider cutting back to once a month and going from there. These regular scans will help keep applications secure between more in-depth security audits.

There is no magic number I can offer to answer your question, but I can say that you need to do a comprehensive security examination periodically and consistently. Only you will know what's best for your environment and your business. Frequent smaller exams can give you the feedback you need to make the decision.

Next Steps

Selling security: Get management to help fix software vulnerabilities

How to gather security requirements for software projects and what to look for

Where can I find software security test plan templates?

Dig Deeper on Topics Archive

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How often does your security team perform a comprehensive security exam?