Is collaboration needed for security test or can that be outsourced?
For most organizations, security testing is handled by specialists and limited to functions like vulnerability scanning, patching desktops and looking at network weaknesses. If you follow industry news, you might make the assumption that the black hats are the only people out there actually doing security testing, as they seem to find and exploit errors on a regular basis -- I guess you could call this “outsourcing.”
In reality, no matter how good your security testing tools might be, you will need experts to help assess your applications. A big risk is complacency; even if you have done some basic scanning and testing, you s till need a specialized security expert roll up their sleeves and really run your software through the vulnerability wringer. Thus, I think some form of collaboration in security testing is always needed to do a thorough job.
In response to the original question, yes, collaboration is almost always needed. As for outsourcing, my advice is to keep it in-house, even if you have to hire an expert to assist occasionally, as it is your reputation on the line and not necessarily the outsourcing firm’s.
Dig Deeper on Topics Archive
Related Q&A from Mike Jones
The world of ALM tooling is always changing to overcome new challenges and better meet the needs of today’s application lifecycle. Here expert Mike ... Continue Reading
Modeling tools are a vital part of the ALM process, but how they integrate with each other varies greatly depending on the tool. Continue Reading
Application security testing tools can sometimes be considered part of the ALM tool set, and sometimes they fall under the category of the security ... Continue Reading