Home > Ask the Software Quality Experts > Application Security Questions & Answers > The most effective time to do security testing
Ask The Software Quality Expert: Questions & Answers
EMAIL THIS

The most effective time to do security testing

Chris Wysopal EXPERT RESPONSE FROM: Chris Wysopal

Pose a Question
Other Software Quality Categories
Meet all Software Quality Experts
Become an Expert for this site


Software quality news and advice
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


>
QUESTION POSED ON: 22 October 2007
At what point in the software development lifecycle (SDLC) is it appropriate, and most effective, to conduct security testing?

>
EXPERT RESPONSE
For years testing applications for security meant a pen test, or penetration test, at deployment. For almost as long, security consultants have urged users to push security testing to earlier in the development lifecycle. I agree. Threat modeling, security requirements definition and architectural reviews are critical during the design phase. During the development phase, however, you need to account for code velocity or code churn. It is not efficient to test applications for security while code is being added and removed in large chunks. Once one gets to the build stage, this changes. Major features are largely in place and code churn is lower. I recommend static analysis as builds progress, followed by static analysis and dynamic analysis as a staging environment is ready.

In the past, companies would focus on run-time security, i.e. testing applications after they are deployed in live environments, such as a Web site/ecommerce site. Over the past few years, many companies have been advocating the philosophy that you should start testing as early as possible. Why? If you catch potential vulnerabilities early, they are easier to fix and you will avoid much higher costs that could result from a breach later. The downside of that approach is that developers who are not security experts are spending significant amounts of time learning about and concentrating on security rather than focusing on writing good, functional code.

I have a different perspective. Rather than scanning an application every day or week, I recommend focusing on key milestones in the software development lifecycle. Testing code doesn't make sense until applications are past the build stage, i.e. at the integration testing level. That's because until you get to the integration testing level where the code is able to be compiled, you are looking at piecemeal code. Critical milestones are unit integration testing, alpha testing, beta testing, pre-deployment (staging environment), and then during the deployment cycle, typically quarterly for compliance assessments. I call this "injecting" best practices at critical milestones in the SDLC.


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


RELATED CONTENT
Application Security
PCI DSS compliance: WAF, code review or both?
Application security careers have bright future
How to prevent anti-DNS pinning attacks
Open source application security testing tools
Java application security features and measures
Web application security testing basics
Password recovery with .NET 2.O using C#
Free load and performance testing tools
Finding backdoor threats within applications
SPML and SAML enhance application security in different ways

Building security into the SDLC (Software development life cycle)
Web application security and the PCI DSS
PCI DSS compliance: Web application firewalls (WAFs)
PCI DSS compliance: The basics
PCI DSS compliance: Code review
PCI DSS compliance: WAF, code review or both?
Application security careers have bright future
Writing software requirements that address security issues
Software Security Engineering: A Guide for Project Managers -- Chapter 3, Requirements Engineering for Secure Software
PCI DSS compliance: Web application firewall or code review?
Application security enters uncharted regions

Software security testing and techniques
Static analysis at the end of the SDLC doesn't work
Website security improved, but more can be done
How to learn white box testing
Security vulnerabilities found in open source Java projects
Fuzzing for Software Security Testing and Quality Assurance: Chapter 3, Testing for Quality
Ajax security -- Is anyone listening?
Critical security issues found in the Spring Framework
Web application security and the PCI DSS
PCI DSS compliance: Web application firewalls (WAFs)
PCI DSS compliance: Code review

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2006 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts