Re: Security Testing

I agree with Kevin about independence and objectivity of the security reviewers and testers. You should include application policy development and developer training into your process, so that developers understand what's expected of their code.

If you're already a CMM type organization, you might be interested in the System Security Engineering CMM (www.sse-cmm.org). It may help you figure out how to include basic security risk management practices into your development process.

--Jeff

Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com

• Original Message ----- From: Kevin Spett To: Ramirez, Manuel N (CORP, DDEMESIS) ; webappsec@securityfocus.com Sent: Monday, March 03, 2003 2:04 PM Subject: Re: Security Testing

While all developers should be aware of security issues and do their best to
harden what they build, I recommend that the security testing team be seperate from the development team if possible. Security testing is a specialized skill that requires full-time dedication and experience to acquire proficiency with. Also, people are less likely to find bugs in their own work, which is one of the reasons that normal QA should be seperate from development.

Kevin.

• Original Message ----- From: "Ramirez, Manuel N (CORP, DDEMESIS)" <Manuel.Ramirez@ddemesis.ge.com> To: <webappsec@securityfocus.com> Sent: Monday, March 03, 2003 1:09 PM Subject: Security Testing

Hi everybody,
I was wondering if some of you have some papers regarding web applications security testing. I'm working on a CMM iniciative and we are planning to include a security testing phase so every new developed application is security-error free.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Would you recommend every development team to perform security testing or it's better to have a group of experienced people doing these activities for
all of the developed applications?

Best regards,
Manuel Received on Mon Mar 3 15:54:28 2003