RE: Security Testing

I'll second this. In addition to the reasons that Kevin mentions below, Seperating the two provides more oversight to ensure that external or internal pressures don't create a situation where the developers "certifiy" product should not be. There's a lot to be said for seperation of duties.        

Christopher      

-----Original Message-----

	From: Kevin Spett [mailto:kspett@spidynamics.com] 
	Sent: Mon 3/3/2003 2:04 PM 
	To: Ramirez, Manuel N (CORP, DDEMESIS); webappsec@securityfocus.com 
	Cc: 
	Subject: Re: Security Testing
	
	

	While all developers should be aware of security issues and do their best to
	harden what they build, I recommend that the security testing team be
	seperate from the development team if possible.  Security testing is a
	specialized skill that requires full-time dedication and experience to
	acquire proficiency with.  Also, people are less likely to find bugs in
	their own work, which is one of the reasons that normal QA should be
	seperate from development.
	
	
	Kevin.
	
	


	----- Original Message -----


	From: "Ramirez, Manuel N (CORP, DDEMESIS)" 
	To: 
	Sent: Monday, March 03, 2003 1:09 PM
	Subject: Security Testing
	
	
	
	Hi everybody,
	I was wondering if some of you have some papers regarding web applications
	security testing. I'm working on a CMM iniciative and we are planning to
	include a security testing phase so every new developed application is
	security-error free.
	
	Would you recommend every development team to perform security testing or
	it's better to have a group of experienced people doing these activities for
	all of the developed applications?
	
	Best regards,
	Manuel